Retail Credit Card Breaches: Payment Industry Faces Longstanding Hurdles


Retailers will continue to face an uphill battle against credit card thieves who are consistently taking advantage of the tiniest crack in payment systems that are often difficult and expensive to protect, according to a security researcher studying the problem. 

The massive credit card breach at Target and a litany of other major retailers illustrate the challenge of locking down payment systems without overburdening them with security technologies, said Nir Valtman, co-founder and chief technology officer of security testing firm Crowdome.

Valtman spoke to attendees last week at the 2014 Black Hat Briefings in Las Vegas and discussed why credit card theft persists despite advances in endpoint and network security technology. Even retailers that follow regulatory best practices, isolate systems from the Internet and implement encryption are overburdened with securing a variety of weak points in the payment process, he said.

[Related: 10 Companies To Be Probed By Hackers At Black Hat 2014]

Remote management tools used to maintain payment systems are consistently targeted by attackers to infect systems. But one of the biggest problems, and the most serious lapses, is the widespread number of terminals configured to run with administrative privileges, Valtman said. Once a successful malware infection takes place, a remote attacker can do just about anything as long as they keep their activity stealthy, he said.   

"Permissions are the low hanging fruit," Valtman said. "Memory scraping works because there are high privileges and it means that sometimes it allows specific read-write access for certain applications."

Valtman demonstrated a memory-scraping malware attack during his Black Hat presentation and found a credit card number stored in his system memory. The attack works in seconds because the malware leverages the same permissions as the user, he said. 

Target was the victim of a custom version of the BlackPOS memory-scraping malware, according to a McAfee report issued in March, which analyzed the malware behind the retailer's massive data breach. The Minneapolis-based retailer announced that it would move faster to support chip-and-PIN payment terminals to reduce fraud at its brick-and-mortar stores.

The retailer's FireEye malware detection system reportedly identified the threat on its systems and triggered an alert before the massive breach took place, but its security team failed to investigate the alert. The retailer in June added a chief information security officer to oversee its security program.

Retailers can encrypt the credit card data from the pin pad itself before the information reaches the payment system, but that implementation is often cost prohibitive for large retailers with thousands of payment terminals.  Next-generation firewalls and other network-monitoring tools are often easily bypassed and malware is tested against a battery of antivirus engines to ensure that it won't initially be detected. 

Even the latest endpoint technology designed to detect problems by monitoring subtle process changes and other functions may not be a viable option because retailers could run into performance issues, Valtman said. Many point-of-sale systems have a small footprint and are running on a specialized version of Windows for embedded systems.

"There is a conflict here between performance and security," Valtman said. "The POS wouldn't be functional if you put too much on it."

Retail data breaches have raised the discussion about the need to bolster network and endpoint security systems to reduce false positives and add automated capabilities that can prioritize security alerts for incident responders. Meeting compliance mandates alone simply won't solve the problem and all merchants are impacted, not just large retailers like Target, said John Garner, president of Barnstable, Mass.-based solution provider iMedia Technology.

"Most small business owners see the Target breach and think their business is not susceptible to that threat," Garner told CRN in a recent interview.

PUBLISHED AUG. 11, 2014