Merchant Account Types
Merchant Account Providers
News & Advice
Merchant Account Tools
Verizon: Point-of-sale intrusions down
When it comes to identity theft, there is one thing that is indisputable: There have always been and will always be bad guys.
"It's up to good guys to stay on top of the bad guys," says identity theft expert Robert Siciliano. "And it's a full-time job." But one tool makes the job of being a good guy just a little easier.
An analysis from Verizon tries to fight bad guys' pursuit of credit card information with comprehensive statistics and detailed advice to the merchant.
Released annually since 2008, Verizon's Data Breach Investigations Report (DBIR) essentially details what thieves -- often crime syndicates based in Eastern Europe, Asia and Central America that target the credit card systems of American grocery stores, gas pumps and fast food restaurants -- have been up to for the past year.
"Verizon has done [its] homework," said Siciliano, CEO of the identity protection service review site BestIDTheftCompanys.com. "This is a benchmark study, and all others in the industry are paying attention to it."
This year's study is more comprehensive than ever, tracking patterns found among more than 63,000 confirmed incidents worldwide that might compromise data security. One section particularly has the attention of merchants: point-of-sale (POS) intrusions. These are defined as remote attacks where retail transactions are made, specifically card-present purchases. The most headline-grabbing incident of this in 2013 was the hacking of retail giant Target. In that massive data breach, 10s of millions of customers' credit and debit card information was stolen and customers' personal data was captured.
The Verizon report's good news is that POS intrusions are on the decline. It found that "the number of POS attacks in 2012 and 2013 is substantially lower than the number recorded in 2010 and 2011 (despite having 10 times more contributors in the latter years)."
The 2014 DBIR shows that POS intrusions were the most common type of breach from 2011 to 2013, making up 31 percent of breaches. In that time period, the next common breach types were Web app attacks (21 percent) and cyber-espionage (15 percent). Over the past year, POS intrusions accounted for 14 percent, shrinking by more than half, while Web app attacks grew to 35 percent and cyber-espionage grew to 22 percent.
"It's interesting that (incidents) are down but not indicative that they'll stay down," said Dwayne Melancon, chief technology officer at Tripwire, which works with retailers and financial services organizations and others to detect, prevent and respond to cybersecurity threats.
What might explain the decrease in POS intrusions? One theory is that many merchants have added resources to tighten their information security processes. In other words, maybe the protections are working. But as Melancon said, that's just for now. Criminals will likely take the path of least resistance and find a new avenue to breach systems.
But despite advances, it still can take weeks to discover a breach, yet an intrusion takes a matter of seconds.
"Regardless of (the size of the organization that was victimized) or which methods were used to steal payment card information, there is another commonality shared in 99 percent of the cases: Someone else told the victim they had suffered a breach," Verizon reports. "In many cases, investigations into breaches will uncover other victims, which explains why law enforcement is the top method of discovery and the top contributor of POS intrusions in our dataset. Long story short, we're still discovering payment card breaches only after the criminals begin using their ill-gotten gains for fraud and other illicit purposes."
Just 11 percent of POS intrusions are discovered and reported by customers, and less than 1 percent is discovered by a network intrusion detection system, which is meant to monitor a network for suspicious activity.
How does this particular crime work, anyway? Verizon says the most frequent POS intrusion scenario affects small businesses whose owners may or not consider themselves lucrative targets.
"This event chain begins with the compromise of the POS device with little to no legwork; the devices are open to the entire Internet and, to make matters worse, protected with weak or default passwords (and sometimes no passwords)." Then malware is installed to collect and retrieve magnetic stripe data and criminals cash in -- either by making charges over the phone or on the Web or burning the data onto blank cards. That's right, credit cards can be replicated.
"It's not rocket science -- it's just a plastic card," Siciliano said. "The tool to make that happen is no bigger than a desktop computer, and it can be purchased. There are no restrictions on who can buy one."
The Verizon report notes that RAM scraping malware is resurging as the most common tool for grabbing data. "RAM scrapers allow payment card data to be grabbed while processed in memory (where it is unencrypted) rather than when stored on disk or in transit across the network [where it is ostensibly encrypted]," it says.
Losing data is a frustrating scenario for victims and potentially a financial nightmare for merchants, who could face class-action lawsuits, government fines and significant crisis management if they're targeted. But there are ways for those most likely to be breached -- restaurants, hotels, grocery stores and other brick-and-mortar retailers -- to thwart intrusions.
Restrict remote access
"Third parties end up being loose ends because they may not have the level of security in place that the main organization does," Siciliano said. "It becomes a bit like the childhood fable of the boy who stuck his finger in the dike. You plug one hole and another opens because of parties you don't have any control over."
That's why Verizon recommends merchants limit remote access into POS systems by the third-party vendors they hire to manage their information security. Melancon advises asking these vendors specifically, "What are you doing to be sure RAM scrapers aren't installed?"
Segment your network
POS systems also should not be connected to the corporate network because "it's one place to compromise and that's how you poison the well," Melancon said. Don't make the mistake of giving thieves access to an easily targeted system that is at the heart of your company.
Watch for suspicious activity
This can mean monitoring network traffic and being familiar with a normalized traffic pattern, as well as physically checking PIN pads and card readers to make sure they look as they should -- meaning there aren't any card skimmers. Skimmers attach to a card scanner to secretly collect debit and credit card info during a purchase. Because skimmers are designed to look just like a regular card scanner, it can be tricky to identify a skimmer unless you know exactly how your device should look.
Melancon said merchants should take pictures of their equipment as it should look to compare. The same can be done for the network: "One of our products takes a snapshot of the code and access privileges to ask, 'Does it look different than it did a week ago?'"
Invest in safety
Following the above advice -- as well as installing and maintaining anti-virus software on POS systems and setting up barriers such as two-factor authentication for third-party and internal users -- might be costly, but it's worthwhile.
For merchants concerned about information security, "it's not a matter of 'if' but 'when'," Siciliano said. "The question is to what degree and how to prepare for that. IT managers should be supplied with appropriate budgets to protect the company."
Published: August 28,2022