In This Issue
Hitting the Data Jackpot
Security for Home Users
Protecting Your Mobile Privacy
Security for Business
Preparing for BYOD in 2014: Enabling Your Mobile Workforce
Hitting the Data Jackpot
Though we’re not advising you to throw away your credit and/or debit cards, we think it’s a good idea to start using cash more or only frequent establishments you know take security to heart.”
2014 has just begun but we’ve already seen breach after breach; most of which targeting huge retail stores and even chains. While this proves one of our predictions—we’ll see one major data breach each month—we believe we need to explain why and how breaches occur.
Before we get into the how, let’s first discuss what the targets are. Point-of-sale (PoS) systems are used to accept payment and keep track of sales transactions and inventory especially in the retail and hospitality industries. It doesn’t just refer to the cash register or card swiper retailers, hotels, and other shops use; it refers to all of them. These systems are connected to an external network so retailers and shop owners can easily contact banks for card-based (debit or credit) transactions. Many of PoS terminals use some version of Microsoft™ Windows®.
The Attack Tools
Hackers get to PoS systems by using malware like:
- ALINA: Variants of this malware family scour infected PoS systems’ memory for theft-worthy card information. The malware then send the data they steal to a command-and-control (C&C) server with the aid of HTTP POST commands.
- Dexter: Variants of this family are reputed to be the most potent and so remain in use today. They steal not only stored credit card data but also information about the systems they infect. They also install a keylogger to maintain persistence.
- FYSNA: Also known as “Chewbacca,” this is one of the newest PoS malware families. Variants of this family use the Tor network to secure connections to their C&C server, making the culprits behind attacks harder to track.
Now, let’s go through the steps attackers take to get their job done based on past incidents we’ve seen over the years:
- Predeployment: Attackers can compromise PoS devices even before they’re deployed to hotels, shops, and other establishments that need them by getting access to them when they’re still being built in factories. They can either hire a disgruntled factory worker to help them or become factory workers for some time just to set up their attacks. While we haven’t seen specific proof of this, we’ve seen newly purchased devices like digital frames, smartphones, and MP3 players come built with malware.
- Employee sabotage: Attackers can also infect PoS devices in shops by gaining access to them physically. They can pose as employees of the establishments. Infecting their target devices with malware would be easy since they already have access to these; it’s just a matter of staying undetected.
- Network communication: Any insufficiently protected Internet-connected system can be vulnerable to online attacks. PoS devices are no exception, especially since most use Windows OSs, which are usual attack targets. They’re just as vulnerable as PCs. They can get infected if any of the other devices in your network are.
We’ll see more data breach incidents because attackers are discovering that it’s more effective to directly steal bulk data from the source. Rather than exerting effort to infect thousands of computers to steal their owners’ email credentials, they only need to hack their email service provider’s network, for example. They stand to get the credentials of the provider’s entire customer base to get what they want. Though doing so is indeed harder to do; the difficulty level of hacking an email service provider’s can be well worth the payout.
Though you think you’re just a common consumer, the fact that the establishments you buy from or avail the services of may soon be victimized should make you realize what you stand to lose. If they become victims, so will you. But we’re not advising you to throw away your credit and/or debit cards. What we’re saying is it’s a good idea to start using cash more or only frequent establishments you know take security to heart.