It was announced this week that the Michaels retail stores breach was much larger than originally thought. However, to those of us in the PCI business, this breach should not have been a surprise. This sort of breach has been going on for quite a while.
Now before everyone goes out and pillories Michaels for their bad luck, I would like all of you to consider how you would have detected such a situation? The bottom line is that for most of you, you would have been just as clueless until the FBI and Secret Service turned up at your doors. So be careful about getting too sanctimonious. More on how to detect these attacks later.
Regardless of what the PCI SSC has said in the past, credit card terminals are not the “dumb” devices as portrayed by the PCI SSC. With the introduction of the PA-DSS v2.0, there was an indication that the PCI SSC had finally come to their senses and recognized this fact by having the software that is used in credit card terminals finally certified under the PA-DSS standard. Let us face it, certain credit card terminals are just as sophisticated as netbooks, use a Linux or Windows Embedded OS as a base and have their own software development kits (SDK). Not exactly the specification for a “dumb” device.
Another point that should not have been a shock is the fact that the terminal was used as the attack vector. Those people advocating end-to-end encryption fail to remind people that wherever the endpoints are will become the new attack points. As a result, the Michaels attacks will become a very popular attack vector once end-to-end is implemented.
Wait a minute, the terminal will become more popular for attacks? After all of last year’s belly who about end-to-end encryption, I can tell you that merchants are under the impression that end-to-end encryption gets them out of being breached. It is people like Bob Carr, CEO of Heartland Payment Systems, that are the biggest neglectors of explaining the whole story behind end-to-end encryption. End-to-end encryption just moves the attack points, in this case out to the terminal at the merchant’s location. Worse yet, it also makes security of the merchant’s endpoint even more difficult than it already is because the techniques used in doctoring terminals can easily go unnoticed.
Early attacks on terminals were crude and, for the most part, remain this way. Typically, USB thumb drives are soldered into the terminals. This attack approach requires the criminals to swap out the doctored devices periodically to obtain their contraband. Fortunately the “electricians” used to doctor these terminals are usually not good at their tasks. As a result, only a few of the doctored terminals actually work and collect usable track data. To get their doctored terminals into retail locations, the criminals hire on as night custodians or other overnight stock help and swap the devices during that time.
But times change. The criminal element gets smarter and begins doctoring terminals using software, not hardware. After all, these devices are just small computers. So now the device is programmed to collect the data and then transmit it during the overnight to a server on the Internet or, worse yet, a server that has been compromised on your own network.
So what can a merchant do to counteract such attacks? Actually, quite a bit.
- Put serialized security tape on all of the seam openings on your card terminals and check it at least daily to ensure that it is still in place and that the serial numbers match. When the tape becomes worn, replace it and record the new serial numbers. If you ever notice the tape missing or the serial numbers do not match, take that terminal out of service. Contact your acquiring bank or processor and obtain a terminal directly from them to replace the potentially tampered with unit.
- Use only reliable card terminal vendors. I know that merchants are under tremendous cost pressures, but are these savings really in your best interest when you are leaking cardholder data on every transaction? Probably not, particularly when customers start complaining and your legal costs start ramping up. However, even trusted vendors can become a bad source of equipment, so keep this in mind.
- Do not trust anyone that just shows up to replace your card terminals. If you did not ask for service, no acquiring bank or processor is going to be proactive replace terminals unless they notified you. Be very skeptical of any service person that appears out of nowhere to “fix” your terminals.
- If your terminals are on your network, monitor your terminals for when they are disconnected. In most organizations, terminals are rarely disconnected, so any such alert would be an indication that something abnormal has occurred and should be investigated.
- Monitor your external network connections and connections from the terminals to devices that should not be in your cardholder data environment (CDE). Any traffic from the terminals outside your network or to devices not in your CDE is probably someone leaking cardholder data from your terminals for their criminal use. If you see such activity, notify your local FBI office immediately and ask them if you should stop the traffic. At this point, you should also probably get a computer forensic analyst involved to begin gathering documentation on the attack.
These are just some ideas on how to address this situation. You may have additional options available to you because of the way your organization is configured. However, you need to begin considering this new attack vector as one that will only get worse.