The Fraud Blog with Tracy Kitten

Practical Attack on POS Hacks

Industry Response to Merchant Security Gaps is Positive Sign
Practical Attack on POS Hacks

Much has changed in the payments space since 2009, and some for the better.

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

Think back three years ago, when Heartland Payment Systems suffered the massive payment card breach that almost shuttered the business.

Most POS network breaches can be traced back to remote-access portals, which are too often left open or are inadequately secured. 

More than 130 million cards were exposed as part of a five-year cybercrime spree orchestrated by the now notorious hacker Albert Gonzalez.

The incident called into question a number of industry practices, and it raised serious concerns about the efficacy of the Payment Card Industry Data Security Standard, which at the time was still in its infancy.

Fast forward to 2012, and think about how far we've come, and how far Heartland, the PCI-DSS and the Payment Card Industry Security Standards Council have all come as well. In fact, both Heartland and the council are now spearheading separate initiatives to improve payments security right at the source - the merchant.

Two Hands-On Answers

The PCI Council has just announced the launch of a new training program that directly addresses ongoing security flaws at the point-of-sale. This new Qualified Integrators and Resellers Program is probably the most practical program I've ever seen the council develop.

It's designed to educate and train POS device and system integrators and installers about the nuts and bolts of PCI compliance, emphasizing the roles they play in POS security.

Bob Russo, general manager of the council, says the QIR program is the industry's response to breaches that have resulted from poor POS installations, which can leave remote access portals vulnerable to attack.

Although different today than they were back in 2009 - when Gonzalez used war-driving techniques to tap into Heartland's network, exploiting open Internet connections merchants used for processing - the vulnerabilities are similar. Recent POS attacks at merchants through the United States, from Michaels to Subway and Penn Station, highlight the card-security risks posed by outdated POS devices, software and default pass codes.

In fact, Russo says most POS network breaches can be traced back to remote-access portals, which are too often left open or are inadequately secured.

"Often this can be tied to one simple element: not resetting a factory default on certain equipment," he says. Through the QIR program, the council will share best practices about vulnerabilities that must be addressed during the installation of devices and applications."

And it's not just PCI. Heartland, too, is taking a hands-on approach to merchant security, and is setting an example other processors will likely follow.

Not only is Heartland taking steps to educate its merchants about POS and payment card security, but it also is assisting those merchants with post-breach investigations and POS hardware and network upgrades.

In the wake of recent breaches at two Heartland clients - Penn Station and a locally-owned Mexican restaurant in Winchester, Ky. - executives at Heartland say they decided it was time for a proactive approach (see Heartland Takes Aim at POS Fraud).

Heartland is stepping in after breaches, overseeing investigations and even upgrading willing merchants to its E3 POS system -- a hardware-based end-to-end encryption technology that removes the merchant from the process of managing encryption keys locally.

Taking that key management onus off the shoulders of the merchant simplifies the process. It makes sense, and is something more processors should be doing, and could have been doing a long time ago.

As John South, Heartland's chief security officer, rightly points out: Merchants need assistance.

"Their specialty is not in securing networks," he says. "And many have little or no experience in installing hardware or software to do that."

And, like Russo, South says remote access is the greatest worry. "Statistically, right now, remote-access capabilities, for whoever installs the system, are posing the greatest threat," he says. "Card skimming is still a problem, but it's just one of several ways that card data can be attacked."

I commend both the council and Heartland for the steps they've taken here. They identified a problem and came up with direct ways to address it: Good for them.



About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.