Major customer data breach due to malware in their POS system, and many other high-profile hotel breaches recently (Starwood, Trump Hotels) – where are the hotels going wrong? This week also saw the discovery of one of the most sophisticated retail PoS malware ever, ModPos, just in time for the holiday shopping season. Are we likely to see more PoS breaches in the coming days and weeks? What can businesses and consumers do to protect themselves? Security experts from Proofpoint, Voltage, and Tripwire have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Mark Bower, Global Director of Product Management, Enterprise Data Security for HPE Security :
“Once again, with confirmation late yesterday of a payment card data breach at Hilton Hotels and last week Starwood, we see that hospitality service providers, like retailers, face extraordinary challenges with customer data security at point of sale (POS).
GammaPOS, Abaddon, Dexter, the newly discovered ModPOS and other retail malware are designed to steal clear data in memory from POS applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale.
POS systems are often the weak link in the chain. They should be isolated from other networks, but often are connected. A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.
However it’s important to note, especially going into the busy holiday season, that retailers, hospitality and any businesses using POS systems, can avoid the impact of these types of advanced attacks. Proven methods are available to neutralize data from breaches either at the card reader, at the point of sale, in person or online. Leading retailers and payment processors have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organization handling card payment data.
The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. The attackers get only useless encrypted data. No live data means no gold to steal. Attackers don’t like stealing straw.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]George Rice, Senior Director, Payments at HPE Security :
Tips for retailers
“Only collect customer data that you need and can adequately protect. Why do you need date-of-birth or social security numbers, for example? Encrypt or tokenize everything you determine to be mission-critical.
Protect data at the moment of submission by the customer. Criminals know to embed malware near to data acceptance points, like point-of-sale systems or web front-ends.
Only unprotect data when absolutely necessary. A high percentage of the time, applications and users can work equally well with a surrogate value.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Dwayne Melancon, CTO of Tripwire :
“As holiday travel and vacations hit their peak, cyber criminals will be targeting many businesses including hotel chains. If they haven’t done so already, hotel chains should assess their networks to isolate their point-of-sale (POS) devices as much as possible from non-payment portions of their networks. Additionally, it is vital that any business who relies on point-of-sale technology use a security system that can continuously monitor their systems to understand what a normal configuration looks like, so any suspicious changes to the point-of-sale system can be detected immediately and dealt with before a loss occurs.”
For consumers, Tripwire’s team of security researchers recommends that consumers take the following precautions when shopping online this holiday season:
- Beware of the siren song of a great deal by avoiding shopping websites that offer prices that seem too good to be true. Cyber criminals frequently use extremely low prices on popular items to draw in potential victims.
- Use a credit card instead of a debit card. If your credit card data is used for something nefarious, it’s easier to resolve issues with a credit card company than with your bank.
- Take advantage of the alert features on your credit card, which can warn you of abnormal account activity. Alerts are helpful any time during the year, but they are especially useful during busy holiday shopping seasons.
- Never purchase merchandise from a website that does not use secure HTTPS for the purchase process. Check the address line of your browser during the purchase process; it should start with HTTPS.
- Make sure your computer has the most current security software patches installed. Once a security patch is available, cyber criminals have all the information they need to attack devices that have not been updated.
“Online shoppers should also be especially careful of emails they receive,” said Lane Thames, security researcher at Tripwire. “Phishing campaigns that try to dupe consumers into giving away personal and financial information tend to rise during the holiday season.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Kevin Epstein, VP of Threat Operations at Proofpoint :
What is the best advice for customers who believe they may have been impacted?
“In the short-term, consumers can take immediate defensive actions by placing a ‘fraud lock’ or ‘credit freeze’ on their credit records; that would mitigate the financial aspects of identity theft.”
How much money do you expect the cyber criminals can make with this stolen data?
“Criminals will likely make less than Hilton Worldwide will lose in terms of lost sales, costs of consumer notification, breach cleanup and the like — but the credit-card numbers alone, sold online, could be worth double-digits apiece even before being used to tap consumer lines of credit. This theft could easily net the initial attackers many millions of dollars, with subsequent fraudulent use of the cards raising that by an order of magnitude or more.”
Do you have any advice on how Hilton Worldwide should handle the fallout of the breach?
“Notification of impacted consumers and sponsorship of appropriate protection is a clear priority. Cyberattacks’ most expensive aspect isn’t cleanup; it’s brand damage. Restoring consumer confidence is paramount. To that end, subsequent disclosure of the attack source and implementation of new, modern protective systems to prevent recurrence are also good steps to take, quickly.”[/su_note]