April 21st, 2015 by Elma Jane

An advanced strain of malware called “Punkey,” is capable of attacking Windows point of sale terminals, stealing cardholder data and upgrading itself while hiding in plain sight.

Researchers from Security vendor Trustwave discovered the new strain. The investigation found compromised payment card information and more than 75 infected, and active, Internet Protocol addresses for Windows POS terminals.

 

 

Punkey poses a unique threat to payment networks, particularly because it also can download updates for itself.

If the malware author has a new feature it wants to add or updates to get rid of bugs, it actually pushes the malware down from the command and control server, revealed by Trustwave’s SpiderLabs research center. Punkey operates like a typical Botnet.

The malware hides inside of the Explorer process, which exists on every Windows device and manages the opening of individual program windows. Punkey scans other processes on the terminal to find cardholder data, which it sends to the control server.

The malware performs key logging, capturing 200 keystrokes at a time. It sends the information back to its server to store passwords and other private information.

A year ago, security vendors warned retailers against using Windows XP at the point of sale, since Microsoft stopped supporting Windows XP security patches. However, even Punkey is not attacking Windows due to any vulnerability in the systems, so even merchants with newer versions of Windows are at risk.

Punkey just runs like any Windows binary would. Even if the system is upgraded or a new system is put in place, criminals are still getting malware on the POS in other ways.

Many retailers use remote desktop support software, which fraudsters take advantage of, they steal a password and install malware like a technician would install any software.

While Punkey represents a more sophisticated POS malware than Trustwave has seen previously, merchants can still protect themselves through attention to basic security best practices.

Merchants should update antivirus and firewall protections, monitor the remote access software, establish two-factor authentication and check network activity daily for anything out of the ordinary. Unfortunately, many organizations have neither the expertise nor the manpower to perform these tasks.

 

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Mobile Point of Sale, Payment Card Industry PCI Security, Point of Sale Tagged with: , , , , , , , , , , ,

September 23rd, 2014 by Elma Jane

Home Depot, US retail chain says that 56 million payment cards are at risk following a malware-laden cyber-attack on eftpos tills across its stores in the US and Canada.

The investigation into a possible breach began on September 2nd,Tuesday morning, immediately after Home Depot received reports from its banking partners and law enforcement that criminals may have breached its systems.

According to Home Depot’s security partners, the malware had not been seen previously in other attacks.
Criminals used unique, custom-built malware to evade detection. The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards, after lurking in the company’s eftpos tills for four months between April and September.

While the breach has been seen as a further proof-point in the US push to adopt Chip and PIN at the point-of-sale, the fact that the outbreak also hit the home improvement chain’s Canadian stores, where the EMV standard has been implemented, leaves pause for thought. Nonetheless, the retailer has committed to installing 85,000 PIN pads at its US outlets, well ahead of the national 2015 deadline.

Home Depot has set aside $65 million to cover the cost to investigate the data breach, provide credit monitoring services to its customers, increase call center staffing, and pay legal and professional services. Approximately $27 million of the projected outlay will be covered by the company’s insurance.

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , ,

August 28th, 2014 by Elma Jane

Merchants are still using pedestrian passwords that crooks can easily break, security company Trustwave has found. Of the nearly 630,000 stored passwords that Trustwave obtained during penetration tests in the past two years, its technicians were able to crack more than half in just a few minutes and 92% within 31 days. Even though adding new information about weak passwords or ongoing malware investigations gets frustrating because the same problems facing the financial and payments industries persist, it does not surprise Trustwave researchers. For a lot of software or hardware developers, their main concern is availability of the service. They want to make sure their POS is available and running to accept credit cards, often at the cost of a lot of security controls. It is difficult to implement security and to do it correctly.

Trustwave recommends longer passwords with more characters, rather than shorter ones with letters and numbers. A longer password that is a phrase not easily figured out is better than a shorter, complex password. These findings have been added to an online version of the 2014 Trustwave Global Security Report. To accommodate the fast changing nature of security threats, Trustwave is regularly updating its research and making the information available to consumers and payments industry stakeholders on the company’s site. The criminals stealing data are a constantly moving target. It no longer made sense for those interested in our research to have to wait a year to see new statistics. Having access to updated security reporting should be helpful to merchants. They can see how trends are tracking over time, instead of constantly having to go online to see what is relevant to them or rely on the trade groups to keep them informed. This provides one switch to keep them in the know, so there is some value there and it’s a smart move on Trustwave’s part. Since the new Payment Card Industry security requirements call for security measures to be embedded in software development lifecycles, there is some utility in Trustwave’s new approach to sharing research information.

Trustwave said the trend of businesses detecting breaches continues to rise, with 29% of businesses doing so in 2013 compared to only 9% in 2009. Trustwave compiled that data from 691 post-breach forensics investigations conducted in 2013. The report also indicated e-commerce breaches are increasing, with 54% of all breaches targeting e-commerce sites in 2013, compared to only 9% in 2010. More regions, including the U.S., being in various stages of converting to EMV chip-based cards for card-present transactions fuels the criminals’ shift to e-commerce fraud. Additionally, the company is working with law enforcement officials after discovering a control center of eight servers behind what is being called Magnitude, an exploit kit of Russian origin that has led to thousands of attacks and millions of attempted malware attacks globally.

Posted in Best Practices for Merchants, Payment Card Industry PCI Security, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , ,

August 27th, 2014 by Elma Jane

Backoff malware that has attacked point of sale systems at hundreds of businesses may accelerate adoption of EMV chip and PIN cards and two-factor authentication as merchants look for ways to soften the next attack. Chip and PIN are a big thing, because it greatly diminishes the value of the information that can be trapped by this malware, said Trustwave, a security company that estimates about 600 businesses have been victims of the new malware. The malware uses infected websites to infiltrate the computing devices that host point of sale systems or are used to make payments, such as PCs, tablets and smartphones. Merchants can install software that monitors their payments systems for intrusions, but the thing is you can’t just have anti-virus programs and think you are safe. Credit card data is particularly vulnerable because the malware can steal data directly from the magnetic stripe or keystrokes used to make card payments.

The point of sale system is low-hanging fruit because a lot of businesses don’t own their own POS system. They rent them, or a small business may hire a third party to implement their own point of sale system. The Payment Card Industry Security Standards Council issued new guidance this month to address security for outsourced digital payments. EMV-chip cards, which are designed to deter counterfeiting, would gut the value of any stolen data. With this magnetic stripe data, the crooks can clone the card and sell it on the black market. With chip and PIN, the data changes for each transaction, so each transaction is unique. Even if the malware grabs the data, there not a lot the crooks can do with it. The EMV transition in the U.S. has recently accelerated, driven in part by recent highprofile data breaches. Even with that momentum, the U.S. may still take longer than the card networks’ October 2015 deadline to fully shift to chip-card acceptance.

EMV does not by itself mitigate the threat of breaches. Two-factor authentication, or the use of a second channel or computing device to authorize a transaction, will likely share in the boost in investment stemming from data security concerns. The continued compromise of point of sale merchants through a variety of vectors, including malware such as Backoff, will motivate the implementation among merchants of stronger authentication to prevent unauthorized access to card data.

Backoff has garnered a lot of attention, including a warning from the U.S. government, but it’s not the only malware targeting payment card data. It is not the types of threats which are new, but rather the frequency with which they are occurring which has put merchants on their heels. There is also an acute need to educate small merchants on both the threats and respective mitigation techniques.. The heightened alert over data vulnerability should boost the card networks’ plans to replace account numbers with substitute tokens to protect digital payments. Tokens would not necessarily stop crooks from infiltrating point of sale systems, but like EMV technology, they would limit the value of the stolen data. There are two sides to the equation, the issuers and the merchants. To the extent we see both sides adopt tokenization, you will see fewer breaches and they will be less severe because the crooks will be getting a token instead of card data.

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 21st, 2014 by Elma Jane

Package delivery giant UPS has become the latest company to admit that customer payment card details may be at risk after it discovered malware at 51 of its US stores. In a statement, UPS says that customers who used credit and debit cards at 51 of its 4470 franchised sites between 20 January and 11 August are at risk. Names, postal and email addresses and payment card information may all be compromised, but UPS says that it has no evidence of any fraud, and that the malware has now been eliminated. Earlier this month the US government took the step of putting out an alert warning retailers about a new family of malware, dubbed Backoff, targeting point-of-sale systems. The UPS Store, received a bulletin from the government among many other US retailers that made them aware of the problem. As soon as they became aware of the potential malware intrusion, they deployed extensive resources to quickly address and eliminate the issue. Customers can be assured that they have identified and fully contained the incident. US merchants have found themselves under siege from hackers in recent months, with the most notable case seeing thieves use a vendor’s credentials to infect POS devices with malware and steal the details of around 40 million Target customer cards.

Posted in Best Practices for Merchants, Credit Card Security Tagged with: , , , , , , , , , , , , , ,

August 11th, 2014 by Elma Jane

Tokenization technology has been available to keep payment card and personal data safer for several years, but it’s never had the attention it’s getting now in the wake of high-profile breaches. Still, merchants especially smaller ones haven’t necessarily caught on to the hacking threat or how tools such as tokenization limit exposure. That gap in understanding places ISOs and agents in an important place in the security mix, it’s their job to get the word out to merchants about the need for tokenization. That can begin with explaining what it is.

The biggest challenge that ISOs will see and are seeing, is this lack of awareness of these threats that are impacting that business sector. Data breaches are happening at small businesses, and even if merchants get past the point of accepting that they are at risk, they have no clue what to do next. Tokenization converts payment card account numbers into unique identification symbols for storage or for transactions through payment mechanisms such as mobile wallets. It’s complex and not enough ISOs understand it, even though it represents a potential revenue-producer and the industry as a whole is confused over tokenization standards and how to deploy and govern them.

ISOs presenting tokenization to merchants should echo what security experts and the Payment Card Industry Security Council often say about the technology. It’s a needed layer of security to complement EMV cards. EMV takes care of the card-present counterfeit fraud problem, while tokenization deters hackers from pilfering data from a payment network database. The Target data breach during the 2013 holiday shopping season haunts the payments industry. If Target’s card data had been tokenized, it would have been worthless to the criminals who stole it. It wouldn’t have stopped malware access to the database, but it would been as though criminals breaking into a bank vault found, instead of piles of cash, poker chips that only an authorized user could cash at a specific bank.

A database full of tokens has no value to criminals on the black market, which reduces risk for merchants. Unfortunately, the small merchants have not accepted the idea or the reality and fact, that there is malware attacking their point of sale and they are being exposed. That’s why ISOs should determine the level of need for tokenization in their markets. It is always the responsibility of those who are interacting with the merchant to have the knowledge for the market segment they are in. If you are selling to dry cleaners, you probably don’t need to know much about tokenization, but if you are selling to recurring billing or e-commerce merchants, you probably need a lot more knowledge about it.

Tokenization is critical for some applications in payments. Any sort of recurring billing that stores card information should be leveraging some form of tokenization. Whether the revenue stream comes directly from tokenization services or it is bundled into the overall payment acceptance product is not the most important factor. The point is that it’s an important value to the merchant to be able to tokenize the card number in recurring billing, but ISOs sell tokenization products against a confusing backdrop of standards developed for different forms of tokenization. EMVCo, which the card brands own, establishes guidelines for EMV chip-based smart card use. It’s working on standards for “payment” tokenization with the Clearing House, which establishes payment systems for financial institutions. Both entities were working on separate standards until The Clearing House joined EMVCo’s tokenization working group to determine similarities and determine whether one standard could cover the needs of banks and merchants.

 

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 7th, 2014 by Elma Jane

8706521946_cfbc9e0e6f_o

Recent high-profile cyberattacks at retail giants like Target and Neiman Marcus have highlighted the importance of protecting your business against point-of-sale (POS) security breaches. Often, the smallest merchants are the most vulnerable to these types of cyberthreats. The latest of these POS attacks is known as Backoff, a malware with such brute force that the U.S. Department of Homeland Security (DHS) has gotten involved. The DHS recently released a 10-page advisory that warns retailers about the dangers of Backoff and tells them how they can protect their systems. Backoff and its variants are virtually undetectable low to zero percent by most antivirus software, thus making it more critical for retailers to make sure their networks and POS systems are secure.

How Backoff works

Backoff infiltrates merchant computer systems by exploiting remote desktop applications, such as Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2 and LogMeIn, among others. Attackers then use these vulnerabilities to gain administrator and privileged access to retailer networks. Using these compromised accounts, attackers are able to launch and execute the Backoff malware on POS systems. The malware then makes its way into computer and network systems, gathers information and then sends the stolen data to cybercriminals. The advisory warns that Backoff has four capabilities that enable it to steal consumer credit card information and other sensitive data: scraping POS and computer memory, logging keystrokes, Command & Control (C2) communication, and injecting the malware into explorer.exe. Although Backoff is a newly detected malware, forensic investigations show that Backoff and its variants have already struck retailers three times since 2013, the advisory revealed. Its known variants include goo, MAY, net  and LAST.

Prevent a Backoff attack

To mitigate and prevent Backoff malware attacks, the DHS’ recommendations include the following:

Configure network security. Reevaluate IP restrictions and allowances, isolate payment networks from other networks, use data leakage and compromised account detection tools, and review unauthorized traffic rules.

Control remote desktop access. Limit the number of users and administrative privileges, require complex passwords and two-factor authentication, and automatically lock out users after inactivity and failed login attempts.

Implement an incident response system. Use a Security Information and Event Management (SIEM) system to aggregate and analyze events and have an established incident response team. All logged events should also be stored in a secure, dedicated server that cannot be accessed or altered by unauthorized users.

Manage cash register and POS security. Use hardware-based point-to-point encryption, use only compliant applications and systems, stay up-to-date with the latest security patches, log all events and require two-factor authentication.

 

Posted in Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

July 21st, 2014 by Elma Jane

European authorities dismantled a Romanian-dominated cybercrime network that used a host of tactics to steal more than EUR2 million. As a direct result of the excellent cooperation and outstanding work by police officers and prosecutors from Romania, France and other European countries, a key criminal network has been successfully taken down this week.

Hundreds of police in Romania and France, backed by the European Cybercrime Centre, carried out raids on 177 addresses, interrogating 115 people and detaining 65. Those held are suspected of participating in sophisticated electronic payment crimes, using malware to take over and gain access to computers used by money transfer services all over Europe. They are also accused of stealing card data through skimming, money laundering and drug trafficking.Proceeds of the crimes were invested in different types of property, deposited in bank accounts or transferred electronically, says the EC3. Large sums of money, luxury vehicles and IT equipment were seized during the raids.

Posted in Uncategorized Tagged with: , , , , , , , , , , , ,

May 9th, 2014 by Elma Jane

Email is an indispensable part of running any business, it is so important. It’s often the best  and least intrusive way to communicate with employees, colleagues and collaborators. Not all email platforms are equal, it’s important to choose one with the right email service and  features your business need, also to avoid overpaying for features that you don’t need.

Factors to consider before settling on an email platform for your business.

Bonus Features

Once you’ve found an email service that covers all the basics, check for additional features that can boost your productivity. Some platforms such as Gmail and Outlook includes integrated video chat. That means you can use a single service for both exchanging messages and meeting remotely, making your day-to-day operations simpler and more efficient. Some email platforms also include instant messaging functionality. Instant messaging is better than email for real-time discussions, since you can exchange numerous short messages in rapid succession. Sending an instant message may be preferable to sending an email if the content of your message is not that important

Collaboration Tools

Good business email platform makes it easier for you to work together with your employees or colleagues. The best platforms include tools to help you collaborate. Services such as Gmail and Outlook include a built-in-calendar as part of your email inbox, in a few simple steps you can share your calendar with others so they can view and edit it on the fly. That can really help with planning and collaboration. Email threading is another feature that can help you work together with colleagues. Threaded emails make it easier to follow long exchanges because replies appear one after another in a single thread, instead of being spread throughout your inbox in the order they were received.

 Free or Paid??

One thing you can’t get with a free Web mail service is the ability to use your brand’s name as part of your email address. Registering for a free Gmail account gives you an email address like [username]@gmail.com; but by subscribing to Google Apps for Business, you can secure an email address that reads [username]@[yourbusiness].com. In most cases, you’ll need to already own your own Web domain in order to use it as part of your email address, but registering a domain can cost as little as $10 per year. Services such as Microsoft Office 365, give you your own domain name without the need to pay additional hosting fees.

Security

Whether you pay for email or use a free service, you’ll want tight security for your business inbox especially if running your business involves the exchange of private client data and other sensitive data can be attached to your email account, such as bank account numbers and tax returns. Even more than with your personal email, it’s important to keep cyber criminals out of your business account. Before settling on an email service, check for common-sense security measures such as spam and phishing filters. Support for two-factor authentication is also important. The feature helps keep outsiders out of your inbox by requiring users to have two pieces of information to sign in. The first is your regular password and the second is a freshly generated code sent to either your mobile phone or a second email address. Other security features to check for include built-in antivirus measures to keep malware off your computer, which is especially important if you download a lot of attachments. Whether or not it’s important for you (and any employees) to have a branded email address is ultimately up to you. An email address that includes your own domain name can potentially boost the perceived credibility of your business. On the other hand, a generic email address might be fine for the smallest businesses, especially if you are a sole proprietor.

Storage Space

A branded email address isn’t the only advantage of a paid email service. Paid platforms offer plenty of other perks, such as expanded cloud storage for email and other files. Many free email services offer limited storagespace, forcing you to delete messages when your inbox gets full. If you run a small business that relies heavily on email and you prefer to archive messages rather than delete them, your inbox can fill up in a hurry. By subscribing to a paid service, you can gain access to a much bigger inbox. There are a few other related concerns to consider. The maximum size of an email attachment varies widely between different services, with some services capping attachments at 10GB and others letting you send huge files up to 300GB or more, as long as the file is already uploaded to the cloud.

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

July 15th, 2013 by Admin
e-commerce PCI security

Cyber Crime InfoGraphic by Vericode.

Today anyone can have an e-commerce web site set up in mere minutes. There are a lot of open source e-commerce solutions that allow a web site owner to establish a site very easily, some require just a few clicks to get going. Once you have your color scheme chosen and your navigation all set a decision on how to accept payments is inevitable. e-commerce payment gateways allow your site to connect securely to a payment processor to accept your electronic transactions. These digital transactions can be used by hackers to target your site and your customers credit card information and much more. Whether the data targeted is stored on the merchants network or on the customers mobile device, business need to implement a cyber security strategy. Read more of this article »

Posted in Credit Card Security Tagged with: , , , , , , , , , , , , , , ,