Despite Prominent Retail Breaches, POS System Attacks Decline, Report Finds
Retail giant Target is still reeling from its massive credit card breach, and Michaels Stores is the latest merchant to announce a heist impacting millions of its customers. A new analysis, however, is tracking a declining trend in attacks against Point-of-Sale systems.
The 2014 Verizon Data Breach Investigations Report, which analyzed more than 1,300 confirmed data breaches and tens of thousands of security incidents, found POS system breaches trending downward since 2011. Attacks are still frequent, however, and dominate the Verizon report statistics, making up 31 percent of data breaches analyzed by the company over the last three years.
Verizon said its data contained 198 confirmed data breaches in 2013 at businesses in the retail, accommodation and food industries. Fewer large-scale attacks are being carried out against small businesses, Verizon said. Larger retailers are reporting attacks, including Nordstrom, which said it discovered skimmers on some of its cash registers in October and Target, which reportedly failed to investigate security alerts, prompting a breach in December that impacted 70 million of its customers.
Attackers increasingly are turning to web application attacks to steal credit card data accepted by merchants on the Internet, said Christopher Porter, a managing principal at Verizon. They are targeting vulnerabilities in web applications. SQL injection, a longstanding and frequent problem in applications, was exploited in 80 percent of attacks against web applications in the retail industry in 2013.
Organized cybercriminals believed to be located in Eastern Europe and Russia, also are becoming more methodical in their approach against retailers, Porter said. Memory-scraping malware is being used to pilfer credit card numbers from system memory when they are not encrypted. Attackers are bypassing systems, maintaining stealthy, persistent access and uploading stolen data to remote servers in ways that avoid detection, Porter told CRN.
"I don't think this has been a case of getting lucky and managing to hit a large retailer," Porter said of the string of recent large retail breaches. ""In years past, it was all automated smash-and-grab-style attacks, and now it's turned to large-scale breaches."
Attack campaigns also are being conducted more efficiently. In more than half of the POS system data breaches analyzed by Verizon, the initial compromises took seconds. In 88 percent of them, the credit card theft took minutes, according to the data. Discovery of a compromise typically takes weeks, with 99 percent of retailers informed by law enforcement or credit card industry fraud detection systems, Porter said.
Credit card thieves continue to target smaller merchants using automated tools in broad campaigns. The wide-scale extent of the attacks and the minimal cost in carrying them out yield enough credit card data to make it a profitable business, Porter said.
"The fact is that we actually know that they are just scanning network ranges and trying to find the wide open remote desktops; they're not spending that much time trying to target organizations specifically," Porter said.
NEXT: Solution Providers Give Retailers Guidance
Solution providers told CRN that they are increasingly educating their clients about addressing risks associated with organized cybercrime. Small-business owners are easy targets because they lack IT teams and have little budget for support, said Michael Knight, chief technology officer at Greenville, S.C.-based Encore Technology Group.
"Most companies only do something when they find out something bad is happening, and it’s a purely reactive type of response, which generally is a quite costly approach," Knight said. "We have to give them a road map of basic principles in how to take care of themselves and say, 'This is the threat landscape, this is where your exposures are.''"
Industry experts said financially motivated cybercriminal hacking techniques aren't gaining much sophistication simply because they don't have to. Businesses are making mundane errors, Porter said.
A wide variety of merchants continue to have inadequate -- and nearly nonexistent -- security measures in place. Breach investigators found systems with outdated antivirus installations or no AV protection at all. In some cases, employees were found checking email, browsing the web and playing video games on some POS systems, increasing the likelihood of an attack, Porter said.
In addition, resellers of POS hardware are also a popular target, because they frequently use the same password for all the clients they serve. Breach investigators also had found poorly implemented and maintained remote access software. Systems were left open to the Internet with weak or default passwords. Therefore, automated tools can carry out brute force attacks in seconds, giving cybercriminals unfettered access to the system, Porter said.
"Attackers were scanning the Internet looking for remote access to POS systems," he said.
Organized cybercriminal groups are investing heavily in the support mechanisms behind their campaigns, industry experts said at a recent Verizon panel discussion on credit card theft. Getting stolen data to market quickly has improved significantly. Back-end systems that collect stolen credit card data can quickly sort and package them for sale in underground hacking forums. The goal is to beat industry fraud systems from triggering alerts on specific cards, the experts said. Buyers pay a premium for high-limit and no-limit cards, while cards with questionable lines of credit go for a fraction of the price, according to insiders that closely monitoring the activity.
PUBLISHED APRIL 22, 2014