10 March 2014

DON'T BE A TARGET... ON RETAIL POS, BANKS, EMV & WINDOWS XP...

McAfee Labs' latest report reveals that hackers are using basic 'off the shelf' malware to target retail POS systems, a very topical subject, I’m sure you will agree... But we have to remember that the breaches mentioned in the McAfee report took place in the US, and there is one notable difference between retailers there and those in Europe: the US haven’t yet adopted EMV (aka Chip & PIN)...

Don’t get me wrong, I am not saying that EMV is a panacea to everything, but it has indeed helped in the substantial reduction of fraud a physical POS in all countries where it has been deployed. If in doubt, see the UK example with the Financial Fraud Action Annual Review 2013 stating that
“Card fraud losses on the UK high street increased by 26 per cent in 2012 to £54.5 million, but are down 75 per cent since the peak losses of £218.8 million in 2004, prior to the roll out of Chip & PIN in the UK. Undoubtedly some of the recent increase is due to the fact that fraudsters are returning to more basic crimes, finding ways of stealing both the card and the PIN in order to undertake fraudulent transactions in shops and stores (and indeed, ID Theft is rife). For example, criminals are targeting cards and PINs through distraction theft and shoulder surfing, as well as social engineering methods to dupe victims into handing over their cards on their own doorstep. This is because Chip & PIN has closed down opportunities for criminals in terms of compromise of cards and use in the UK. Cards could also be used fraudulently as a result of mail-non-receipt, where the fraudster has been able to intercept both the card and its PIN on the way to the cardholder, or where a fraudster has taken over an account and ordered a new card and PIN.”

And for further evidence, see also the move by MasterCard and Visa Inc. to deploy security best practice and speed up EMV adoption following recent retailer breaches.

And this brings me neatly to PCI DSS, because each time we have a retailer breach, it will invariably invite comments on the suitability of the standard for best practice to protect the card payments value chain.

I have always believed that PCI DSS is a good set of controls and organisations should look at it as a minimum standard that they should achieve (even if they are not involved in card payments). It has been evidenced in the recent Verizon PCI Compliance Report 2014 that organisations that are breached tend to be less compliant with PCI DSS than the average of organisations in their research”. That’s nothing new. After all, assessing PCI DSS is only ever a sampling exercise by the QSA and only offers a snapshot at a point in time. An organisation will only be as strong as their business as usual security practices, making sure that they cover all aspects of people, process and technology. Looking at the Target data breach, we all know by now that it originated at a third party (refrigeration firm) and for a full story on the Target data breach, see "A tale of loss, disappointment and high finance..."). Does PCI DSS make provisions for third party security? PCI DSS v2.0 had elements of it (remote access, credentials, etc.), but I have always believed it was never sufficiently explicit (and then it comes down to the diligence of the acquirers and card schemes to promote/enforce best practice). I am very pleased that v3.0 is much clearer and even has some new requirements specifically looking at third party risk management as well as the responsibilities of third parties themselves. As the payment value/supply chain has exploded in line with the many (welcome) innovations we see on the market, the risks are now very different and new entrants don’t necessarily fit within the existing risk/security frameworks.

Which is why I believe supply chain due diligence must become a key business operations skill going forward, and that necessarily must include information security... Now, on the likelihood of a similar breach at the POS happening here in the UK, the Verizon report I mentioned earlier states that “31.3% of European organizations complied with 80%+ of DSS 2.0 controls, lagging the North America (56.2%) and Asia-Pacific (75.0%) Regions”.  I let you draw your own conclusions...

At the end of the day, it is well documented how hackers will target POS system and it will invariably include attacks on terminals (e.g. skimmers, firmware, inserted components), network sniffing (within corporate network, and over public network), RAM scraping, etc. And the mitigation efforts to put in place are not new either (e.g. firewalls, encryption, end-point security, log management/monitoring, etc.).

And we couldn’t mention POS systems without mentioning Microsoft ending all technical assistance for Windows XP... Perhaps worth remembering that many POS environments run Windows XP. This is also the case for many financial systems (e.g. branch tellers and ATMs - see warning here from the PCI SSC). And also, according to Fire Eye, about 90% of the vulnerabilities for Windows XP are found in third-party programs such as Adobe or Java. So for those organisations who are only realising this now, they may struggle to mitigate their security risks in time. Having said that, the timeline is slightly different depending on which version of XP is used:

  • Microsoft will no longer provide security patches for Windows XP as of 8th April 2014 (they have however confirmed that the monthly Microsoft's Malicious Software Removal Tool (MSRT), which aligns with Microsoft's anti-malware engines and signatures, will remain available until 14th July 2015, but XP users will need to download the software from its website manually)
  • For Windows XP Embedded, the deadline is extended to January 12, 2016 (many POS devices use this).
Footnote: Windows XP is still very popular in China, so it will be interesting to see developments there, since it is probably fair to say that Microsoft hasn’t got the same level of access there, organisations based in China may have interesting times ahead...

But let’s put things into perspective, would a major data breach happen at a F2F retailer in Europe (or at least EMV Zone 1 Country)? It could, but there are far easier fish to fry for criminals (such as US retailers)... Will F2F retailer data breaches continue to happen in the US? Yes, I think so, until at least they start deploying EMV ([UPDATED 18th April 2014] and indeed, they continue to happen... See Neiman Marcus, Michael's Store, and many others...). Will a retailer data breach happen in the UK/ Europe? Yes, absolutely: e-commerce sites are still a relatively easy target for criminals, but we probably won’t get to hear about it much as disclosure laws are somewhat different over here (that is until the EU data protection regulations come into force...). And of course, it's not always external actors that can cause damage to an organisation, as in the case of supermarket Morrisons...


And finally, for a fun visualisation of data breaches worldwide since 2004, see here...

Until next time...
neirajones