Point-of-sale payment processing devices for credit and debit cards
are proving to be rich targets for cybercriminals due to lax security
controls, particularly among small businesses, according to a report
from Trustwave.
Trustwave, which investigates payment card breaches for companies such
as American Express, Visa and MasterCard, conducted 220 investigations
worldwide involving data breaches in 2010. The vast majority of those
cases came down to weaknesses in POS devices.
"Representing many targets and due to well-known vulnerabilities, POS
systems continue to be the easiest method for criminals to obtain the
data necessary to commit payment card fraud," according to Trustwave's
Global Security Report 2011.
POS devices read the magnetic stripe on the back of a card that
contains account information, which is then transmitted for payment
processing.
Although there are rules for security controls that developers should
use for the devices, such as the Payment Application Data Security
standard (PA-DSS), Trustwave said that "these controls are rarely
implemented properly."
Further, many small businesses rely on third-party integrators to
support the POS devices. But those integrators often have poor
security practices. In 87 percent of the breach cases it studied, the
integrators make mistakes such as using default credentials in
operating systems or with remote access systems, Trustwave said.
"In our experience, many POS integrators are often not skilled in
security best practices, leaving their clients open for attack," the
report said. "For instance, our investigations often uncover
deficiencies in regards to basic security controls, such as the use of
default passwords and single-factor remote access solutions."
POS devices are an attractive target for cybercriminals since the data
they access from the cards is more complete, Trustwave said. For
example, an attack against an e-commerce website may yield a credit
card number and the card's expiration date -- information that can
only be used in so-called card-not-present fraud, such as buying goods
on a website that never sees the physical card or its magnetic strip.
But POS devices collect the full magnetic strip, which makes it
possible, for example, to encode that information on a dummy card for
use at an ATM machine or a retailer.
Retailers have been increasing their compliance with the Payment Card
Industry Data Security Standard (PCI-DSS), a code of best practices
created by the card industry. It forbids, for example, the storing of
magnetic strip data on POS terminal and mandates the use of
encryption.
But in 2010 Trustwave discovered new malware targeted at POS
applications, one of which was capable of extracting that encrypted
data.
"The POS-specific malware is the most sophisticated malware we have
seen, and similar to the ATM malware we saw in 2009, as it requires
deep knowledge about the workings of the POS application," Trustwave
wrote.
Even though PCI-DSS is well established in North America and Europe,
"these mandates are just beginning to take hold in other regions,"
Trustwave wrote. "For example, Latin America and Asia Pacific still
lag behind other areas of the world in the identification and
acknowledgement of a data breach, which adversely affects the global
effort to combat attacker behavior."
No comments:
Post a Comment