Point of Sale Cyber Attacks

Introduction

Over the past two years security breaches have been regular front page news items. Large retailers, card processors , and universities grab the public’s attentions as 10 to 30 million credit cards are announced stolen in an average haul. Typically very little fraud occurs from these cyber heists as mechanisms are in place to quickly alert both the merchants themselves and the banks. However, a much more insidious crime is epidemic in the digital underground. Hundreds, perhaps thousands much smaller merchants are being targeted every year by organized crime.
The target is not a database running of some exotic payment or storage system but the point of sale system Johnny Q Public sees and uses every day, from the café where they get their morning Cappuccino, the sandwich shop they go for lunch to the Mexican food chain they take their family at dinner. A typical compromise will bring an attacker 150,000 to 300,000 credit card numbers. The break-in will not be noticed for six months to a little over a year. No special skillz necessary.
This paper will present current trends in credit card fraud, specifically those concerning attacks of Point of Sale systems found in the food services sector. We will look beyond the headlines of much larger cyber attacks such as TJ Max, DSW
Shoe Warehouse, and BJ’s to see how organized crime targets the weak underbelly of the American digital economy.
The paper puts to light how the restaurateur are unaware of the risks these issues pose and how third parties fail to develop, install and maintain their systems. Finally, we will examine how credit card companies are trying to stop the bleeding through Payment Card Industry (PCI) requirements and why they are failing?

Why are Brick and Mortar High Risk

While e-commerce web sites are still targets of opportunity for the cyber criminals a more lucrative prize has emerged over the last two years. Cyber Criminals have found full magnetic stripe data, the full contents on the back of every credit card, is available at thousands of locations all across the internet. This type of data has long been only available when a criminal has physical access to a credit card. Typically someone makes an extra swipe of a credit card during a transaction. It could be a waiter or a store clerk or anyone who handles credit cards for payment. Instead of just charging the card, the thief makes an extra swipe of the credit card into a small hand-held device known as a skimmer.
However, as merchants have become increasingly wired they open up previously closed attack surfaces. Payment systems which previously had existed in a closed environment find themselves open to the unforgiving internet. The software which runs these systems are typically written five or more years ago and were not developed with security in mind. Encryption is weak if it exists at all. Insecure transport protocols are utilized.
Restaurants are a favorite target for cybercriminals. The number of credit card transactions is particularly high. In a typical security breach at a restaurant, an attacker will steal cardholder information for approximately 40,000 cards—far from mere skimming. Once stolen the card information is used to create dummy cards, actual physical plastic cards that include the stolen card information encoded on the card’s magnetic stripe, for sale on the black market.
These merchants are what the credit card companies refer to as a level 4 merchant. There are around 6 million Level 4 merchants—defined as those doing fewer than 1 million transactions a year—and they account for nearly one-third of Visa’s volume.

Cyber Crime Trends

Fundamentals of an Attack

Generally speaking, there are two types of Point of Sale devices used by merchants, retailers or restaurants, the hardware-based credit card terminal appliance and the software-based client/server model which can run on any Wintel computer. The software-based Point of Sale (POS) systems are what attackers are targeting today. A POS compromise, whether BotNet-based or originating from an individual computer follows an all too familiar attack methodology.
For this discussion and for the paper as a whole, we have directed our attention to three popular POS systems. The vendor’s names have been left out.

Fingerprinting

The Point of Sale software analyzed all run on a Windows Operating System. The systems in use today run on anything from Windows 98, Windows 2000 and Windows XP. As such, attackers were able to fingerprint a specific POS through exposed services, user accounts, registry entries, banner text, and remote access software.

Point of Sale Devices; Software vs. Hardware Versions
What are the criminals stealing

The theft of full magnetic stripe data, that is the contents of the black half inch stripe on the back of all credit and debit cards, creates a very problematic situation for law enforcement and credit card companies. Unlike

Protection Responsibilities: The Consumer and Merchant

In the event of a breach, loss of business is not the only consequence. The theft of cardholder information can seriously undermine the brand of a credit card association, and they will fine the liable party accordingly. Before 2004, to assure consumers of their brands’ reputations as trustworthy payment options, each of the major card associations (Visa, MasterCard, American Express and Discover) drew up individual data security programs that they required merchants follow in order to accept their card brand. Visa developed the Cardholder Information Security Program (CISP), MasterCard the Site Data Protection (SDP) program, American Express the Data Security Operating Policy (DSOP), and Discover the Discover Information Security and Compliance (DISC) program. As one might imagine, the process of ensuring that a place of business complied with four different, yet equally complex, security policies proved quite unwieldy for many merchants. To alleviate this issue, in December 2004, Visa and MasterCard announced the creation of the Payment Card Industry Data Security Standard (PCI DSS). Though specific requirements will be discussed in detail later on in this paper, in brief the PCI DSS requires that merchants build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. The PCI DSS, a slight variation on Visa’s CISP, aligned CISP with SDP and created “a worldwide standard for consumer data protection across the payment industry.” Both American Express and Discover are in the process of endorsing the standard.
All of the card associations require that any member, merchant or service provider that stores, processes or transmits cardholder data must comply with the PCI DSS. Any restaurant that accepts payment cards, no matter how small the transaction volume is a merchant that stores processes or transmits cardholder data and thus, must comply with the PCI DSS. While the previous statement may seem obvious, we’ve found that many restaurant owners and managers simply never realized this fact until it was too late. Not complying with even just one requirement could, in the event of a breach, lead to fines and ultimately, expulsion from the Visa, MasterCard, American Express or Discover networks.

Technorati Tags: , ,

Advertisements

~ by David Barnett on September 15, 2007.

2 Responses to “Point of Sale Cyber Attacks”

  1. International hacker & carder network community website. visit us to get more software, tools, utility, script, web design, hosting, domain, server, fresh cc accounts, tutorials, hardware, keylogger, and more…

    http://www.carding-international.co.cc

  2. International hacker & carder network community website. visit us to get more software, tools, utility, script, web design, hosting, domain, server, fresh cc accounts, tutorials, hardware, hacking ATM, hacking online banking and debit cards tutorials, keylogger, and more…

    http://www.carding-international.co.cc

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: