Tuesday 3 June 2014

SC Congress: POS Breaches, Target & PCI DSS Compliance

I was privileged to speak at the SC Congress in London today. I was asked to talk about my views on Point of Sale (POS) credit card data breaches which had recently occurred stateside, the role of PCI DSS compliance with such breaches, and whether the UK could expect similar breaches despite widespread adoption of Chip & Pin (EMV), and what are the lessons to be learnt. 

The following is a summary of what I said.

In the United States there has been a number of high profile Point of Sale (POS) credit card data breaches, occurring at around seven shopping chains towards the end of last year. The most provident of these breaches was at Target, where hackers stole an estimated 40 million credit card details.  The hackers managed to load credit card data stealing malware onto Target’s POS systems, in each of Target’s 1800 stores. It is one of the largest and most sophisticated data breaches the payment card industry has ever seen.

As Target cashiers swiped customer’s credit cards on a POS, which is essentially a workstation with a magnetic swipe card reader, the credit card data, which is in clear text on the magnetic stripe on the back of the card, is loaded into the POS RAM. At this point the malware on the POS would copy the contents of the RAM, this is known as RAM scrapping. The malware then moves the credit card data out of the Target network into the hands of the attackers, who sell them on to card fraudsters at a profit.

But there is much more to this breach than the POS malware, to better understand this, we need to rollback the timeline of start the breach process, to see how the attackers got the malware onto the POS systems in the first place.

It all starts with Fazio Heating & Cooling LCC, a company providing Heating, Ventilation and Air Condition (HVAC) services to Target. Target have provided Fazio with remote access into their network, to allow Fazio to perform ebilling and exchange project management information. It is understood this network access was a basic remote access system, it is suggested it could be as simple as an RDP connection, with Fazio remote accessing into a Target server using a username and password.  At some point in 2013, Fazio was subjected to a cyber attack, its employees were sent phishing emails laced with malware. This attack resulted in the theft of the Target remote access credentials. It is likely these remote access credentials were offered for sale online and then bought by the would-be card hackers, this is my assumption.

In mid November 2013 the attackers supposedly used the Fazio credentials to access the Target network. It is not clear whether Target had a flat network or had their payment systems network segmented from their corporate systems, my assumption would be the payment environment and store POS systems would have been network segmented, but we can’t be certain. Either way the attackers managed to gain access to Target’s payment network and POS systems within all 1800 stores.  The attackers likely spent the first few days customizing and testing their POS malware. The POS malware itself was probably purchased from a third party, there are suggestions it was a malware kit known as Black POS, which was written and sold by Russian teenager for couple thousand dollars.

Once the attackers had finished testing and had the POS malware successfully performing, they then used Target’s own systems to deploy the malware onto POS systems within all of Target’s 1800 stores.  At this point it is getting on to late November 2013, the busiest time of year for shopping in the US, think Black Friday. The POS malware lifted credit card details in the millions over the next few weeks. Meanwhile it is believed Target’s IT system’s logged and alerted this network intrusion, but there was no monitoring and reaction to these alerts by Target staff. Which is very good news for the attackers, as the clock is ticking for them to monetize credit card data before card issuers and banks learn of the data theft, which leads to the cancelation of stolen cards and the enabling of additional anti-fraud monitoring against possible compromised credit cards, all would significantly devalue the payment card data stolen.

The POS malware deposits the vast amount of card data onto compromised systems located around world, the hackers collate the data, and put them up for sale on ‘carding’ forums, chatrooms and websites in chunks, with individual cards sold for between $18 and $38, after which card details are used fraudulently.

After a couple of weeks of selling card data to fraudsters, the likes of Visa, Mastercard and banks spot a spike in fraud, since over million of the stolen cards are now being used in fraudulent transactions. They spot a common source with the fraud spike, in that the cards were all used at Target stores.  In mid December 2013, Target are contacted and told their payment systems have been compromised.  Target have no choice but to bring in forensic investigators, together with the involvement of law enforcement and the US secret service, go onto discover the POS malware, and also uncover that more than 70 million Target customer records (personal information) had also been stolen.

The PCI Compliance Factor
In September 2013, Target completed a Payment Card Industry Data Security Standard (PCI DSS) assessment by one of the largest PCI Qualified Security Assessor (QSA) companies. A PCI assessment, even by a seasoned QSA, is a sampling exercise, it doesn’t prove the entity being assessed is actually operating in a continued PCI DSS state, 24-7-365. A PCI DSS assessment boils down to a judgment of compliance, determined by interview questions, and the QSA reviewing sample from the environment. Nether–the-less Target tried to sue their QSA company due to the breach, but the lawsuit was quietly dropped a few weeks later.

It is highly doubtful that Target where operating in a PCI DSS compliance state at the time of the breach, given; remote access appeared not to use two factor authentication, there was poor third party management, poor network segmentation, poor system monitoring and reaction, etc. all are standout PCI DSS requirements. So you really can’t point the finger at the PCI DSS, so what of the QSA assessing compliance?  All QSAs have a ‘get out of jail free’ zero responsibility card when comes to PCI DSS assessments, perhaps you could question how thorough the PCI DSS assessment was, but without reviewing the actual documentation and Report on Compliance (RoC), there no way we can know.

The breach has really hit Target hard in terms of costs, the like for like Q4 profits was down significantly, with the company already shelling out $61million in dealing with the breach, and a further $100 million allocated for the upgrade of their POS systems to Chip and Pin. With the breach hurting the profits, it is little surprise to see CEO shown the door last month.

Could a POS breach happen in the UK?
Yes, and No. Skimming debit/credit card data from POS system is more difficult in the UK, given most POS systems use a dedicated separate chip and pin device, which is more often than not, is PCI-PTS security accredited. However if hackers gain access to the payment network of a company, then there are a multitude of attack methods that can be attempted to harvest credit card data on mass, they don’t need to attack the POS.

PCI DSS isn’t a broken standard, however we see in the new version, PCI DSS V3.0, released at the start of the year, that there is already a greater emphasis of third party management and penetration testing of network segmentation (from Jul 2015), two of the biggest areas of security weakness with Target.

I also spoke about my views on lack of plastic security evolution, pretty much as per my blog post – How the PaymentCard Industry could kill PCI DSS

My Closing Remarks
Debit/Credit card data should be regarded as toxic data by your business.  The data does not belong to the business and it does not belong to your clients. PCI DSS and the authorities around it, are only concerned with protection of their payment card data while in your business possession. Worst still, if you drop the security ball in protecting the payment card data, you pick up the tab in clearing up the mess. PCI DSS is mostly made up of best practice information security, but it is highly prescriptive in nature, and so isn’t an easy standard to fully comply with. PCI DSS compliance can be very costly to continually achieve, diverting your security budget away from protecting other forms of confidential data within the business.  The best course of action is to remove and/or reduce all payment card data within the business, using card scheme accredited payment service providers, can allow you to transfer risk over to them, while technologies like tokenization and end-to-end encryption, can help to keep the toxic payment card data and the required PCI DSS controls which go with it, at a bare minimum.

I was quoted in the media as saying:
“The best approach is to find ways of outsourcing all payment processes so that no payment card data is held or processed by the retailer"
"Alternatively, if payment card data cannot be avoided, ensure that it is encrypted from end to end so that even if systems are breached, attackers cannot use the data to commit fraud” 

1 comment:

Emily X said...

Enjoyed this conference, learnt a few new things about PCI DSS from you, love when you said credit card data should be regarded as toxic data by the business!