Cybercriminals have an insatiable thirst for credit card data. There are multiple ways to steal this information online, but Point of Sales (POS) are a tempting target. An estimated 60 percent of purchases at retailers’ POS are paid for using a credit or debit card. Given that large retailers may process thousands of transactions daily though their POS, these terminals are in the crosshairs of cybercriminals seeking large volumes of credit card data. Leo Taddeo of Cryptzone looks at the four phases of a POS attack and how retailers can do to prevent them.
Examples of these types a data breaches are endless. Vera Bradley suffered a data breach as a result of its POS system just this week. In August, Oracle disclosed that their MICROS POS Division had been hacked, leaving 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels at risk.
Generally, there is some consistency in the methodology used by hackers targeting POS systems. According to a report issued by Trustwave Holdings in 2013, the phases include infiltration, propagation, aggregation, and exfiltration.
Phase 1: Infiltration
The infiltration phase is where the attacker conducts reconnaissance to find and exploit an access point. There are a variety of methods an attacker can use to gain access to a corporate network. They can look for weaknesses in external-facing systems or they can attack from within by sending a spear-phishing email to an individual within the organization. The spear-phishing email could contain a malicious attachment or a link to a website which installs a back door program onto the victim’s computer.
Phase 2: Propagation
Once inside the network, the attackers’ next step is to gain access to their ultimate targets–the POS systems. Attackers will typically use a variety of tools to map out the network to locate systems within the card data environment (CDE). While they may exploit vulnerabilities or use other techniques to gain access to these systems, often the simplest method of gaining access is by obtaining user credentials. User credentials may be obtained through keylogging Trojans, password-hash extraction, cracking, and/or replaying captured login sequences, or even brute force password attacks. Eventually, the attackers may obtain administrative-level credentials. The attackers may even gain control of a domain controller, giving them full access to all computers in the network. Once in control, they can then gain access to the CDE even if it is in a segmented network by using network and data pathways established for existing business purposes. Once inside the CDE, they can then install malware which allows them to steal card data from the POS systems.
Phase 3: Aggregation
After the infiltration phase, attackers often consolidate data from compromised target systems onto an aggregated location, in advance of exfiltrating the data. This is an optional step, but one that attackers may take to avoid directly connecting from high-value assets to the Internet, which may raise security alerts. Aggregation may take the form of simple consolidation, or may take more complex steps to disguise or encrypt the data.
Phase 4: Exfiltration
After the desired information is collected, they’ll use one or more mechanisms to extract the data to an external location. This step is where a security monitoring system, such as a SIEM, is useful – extracting large amounts of data should be readily detectable by these types of systems.
As POS data breaches become increasingly common, secure network access for retailers become essential. Companies should look to block attackers at the infiltration phase by employing multi-factor authentication and limiting access by an insider, privileged user, or subcontractor/vendor to only those services needed for business use. This will limit vulnerability to these type of attacks that are not going away.
Leo Taddeo, Chief Security Officer, Cryptzone