Remote Access Attacks: A Motif in Retail & Service Provider Breaches
With remote access tools, who needs to steal a physical device to get access to payment data? A recent hack of a parking management service provider proves that access security is paramount to keeping customer payment card data safe.
SP+ recently reported that an unauthorized person used the remote access tool of a payment system provider to connect to computers that process payment cards in 17 or so locations in the U.S. The attacker installed malware that detected payment card data as it was routed through the parking facility payment systems to steal customer names, card numbers, expiration dates and verification codes.
Access to POS Vendor Systems: Gateway to Retail Payment Data
Payment providers, or point-of-sale (POS) providers, are common targets for criminals looking for a way to access larger companies and their customers’ data. The Illinois-based sandwich franchise Jimmy John’s was breached this summer after an intruder stole login credentials from a company’s POS vendor and remotely accessed the POS systems at 216 different locations to steal payment data.
Their POS vendor, Signature Systems, reported that they found malware on their systems that hadn’t been detected by their antivirus. A longer list of other restaurants using the provider were also breached. While the company said they were developing a new application with end-to-end encryption that would block malware, there’s no word on how they planned to stop intruders from accessing their systems in the first place.
Goodwill is another retail chain that was breached via their POS vendor, C&K Systems that resulted in the theft of more than 800k customer records early this year. While no information came out of their investigation about the initial point of entry, experts quoted by BankInfoSecurity.com suggest that a remote access attack was made possible by means of a weak or default password, and/or phishing/social engineering - again another attack on access to systems with payment card data.
Third-Party Access - Threat Not Limited to Just Retail
And not just retail organizations are targets, as this case shows - any provider that swipes a credit card in exchange for services may become a new mark. KrebsonSecurity.com reported on incidences of credit card number thefts starting in February 2014 that hit dozens of carwash locations in the nation.
The common theme? They all used the same POS system provided by Micrologic Associates, and exploited the remote access tool, Symantec’s pcAnywhere software that was breached in 2012. Symantec announced the tool’s end-of-life in May 2014, with no plans of replacing it. A detective on the case found that default credentials for the tool were never changed, which may have given an intruder easy access.
The Answer: Securing Access
Although encryption is considered a best practice, and using a PA-DSS compliant POS provider is a step in the right direction, cutting off access for intruders is one of the most effective and simple ways to deter a remote access attack.
By employing two-factor authentication, remote attackers can’t access your POS systems armed only with a username and password. An effective two-factor solution lets you generate one-time or event-based passcodes for contractors that might only need temporary access.
As SP+ reported in their announcement about their remediatory actions after the breach:
The malware has been disabled on all affected servers, and SP+ has required that the vendor convert to the use of two-factor authentication for remote access.
Two-factor authentication for remote access is a requirement by PCI DSS and best practice for strengthening access security with applications that process payment card data.
Check out this 150 page guide to help navigate you through some of the new risks in the retail industry, with a few security recommendations to boot:
Avoiding Catastrophic Data Breaches in the Retail Industry
In this guide, you’ll learn:
- New risks to the retail industry presented by cloud, mobile and Bring Your Own Device (BYOD)
- Business and compliance drivers for strengthening authentication security
- How outdated security solutions can no longer effectively protect retailers and consumers alike
- How implementing a modern two-factor authentication solution can work to protect the new IT model
Ideal for CISOs, security, compliance and risk management officers, IT administrators and other professionals concerned with information security, this guide is for IT decision-makers that need to implement strong authentication security, as well as those evaluating two-factor authentication solutions for organizations in the retail industry.