Why hackers may be stealing your credit card numbers for years

Hackers may have the upper hand for years as the retail industry slowly upgrades its systems, analysts said

While conducting a penetration test of a major Canadian retailer, Rob VandenBrink bought something from the store. He later found his own credit card number buried in its systems, a major worry.

The retailer, which has hundreds of stores across Canada, otherwise had rock-solid security and was compliant with the security guidelines known as the Payment Card Industry's Data Security Standards (PCI-DSS), said VandenBrink, a consultant with the IT services company Metafore.

But a simple configuration error allowed him to gain remote access. From there, he found the retailer was vulnerable to the same problem that burned Target, Neiman Marcus, Michaels, UPS Store and others: card data stored in memory that is vulnerable to harvesting by malicious software.

The problem is growing worse. The U.S. Department of Homeland Security and Secret Service warned last month that upwards of 1,000 businesses may be infected by malware on their electronic cash registers, known in the industry as point-of-sale devices.

So why are the data thieves winning? Security analysts say point-of-sale malware is neither new nor particularly sophisticated. Programs such as Backoff, BlackPOS and JackPOS hunt down clear-text payment card details jammed in a jumble of data in a computer's memory, a process known as "RAM scraping."

Merchants who handle card data are required to be PCI-DSS compliant or face liability if cardholder data leaks. But the latest security specification, PCI-DSS version 3.0, doesn't mandate that merchants use technologies that encrypt card data from the moment a person's card is swiped, referred to as point-to-point encryption.

Using that kind of technology would eliminate the in-memory malware problem, security experts say.

The PCI Security Standards Council, which develops PCI-DSS, did recommend last Wednesday that merchants switch to using that kind of encryption technology.

But retailers often have long technology refresh cycles, so it could be five to seven years before most move to it. Fraud is expected to migrate from big retailers that resolve the weaknesses to smaller ones who have not, said Avivah Litan, a Gartner analyst who consults with banks and card companies.

"In general, I think we are stuck with these point of sale breaches for many years," Litan said.

Retailers are also missing keys signs in their network logs that they're under attack. Subsequently, most breaches are discovered by third parties, such as when fraud shows up on cards, said Bryan Sartin, managing director for Verizon's Risk Team, which investigates data breaches.

Many merchants are using "1990s technology to react to modern-era cyberattacks," Sartin said.

Merchants can be fined by card companies for breaches and are on the hook to pay for forensic investigations, which for PCI-related breaches can cost upwards of US$100,000, said Nick Economidis, an underwriter with the Beazley Group, which has seen its data breach insurance business boom.

In recent years, merchants have occasionally struck back, suing suppliers and integrators of POS systems. Those lawsuits have generally argued the suppliers are liable for breaches due to setup and maintenance errors.

Interestingly, very few of the lawsuits are ever litigated, as POS suppliers often choose to settle, said Charles Hoff, an Atlanta-based lawyer who has been involved in many such actions.

POS suppliers "may feel that they have a strong defense but they don't like the scrutiny in terms of the media," Hoff said. "It certainly doesn't help them in the marketplace. They want to figure out a way to keep their [customers] and not lose them."

All merchants want to do is "sell what they're selling," said Pam Galligan, vice president of compliance and industry relations for Mercury Payment Systems, whose payment processing technology is built into various POS systems.

"PCI asks these merchants to comply with an increasingly technical set of requirements," she said. "They don't want to spend a lot of time and energy trying to protect their card environments."

There's a broad effort under way to ensure that merchants are up to speed with PCI-DSS 3.0, which comes into force on Jan. 1. But it's complex: there are 12 main requirements and more than 250 sub-requirements.

Galligan said Mercury works to ensure its POS partners are up on PCI. Hoff is co-founder and CEO of PCI University, an organization that tries to explain PCI-DSS to people who aren't data security experts.

Merchants are under heavy pressure to handle card data right every time, all the time. The PCI Council advises that retailers can't just pass an annual audit and forget about it. A main concern is that networks are modified over time, which could inadvertently create weak points for hackers to capitalize on.

That is exactly what happened with the Canadian retailer VandenBrink tested. The company had recently finished a hardware refresh and in the process left two open Internet-facing telnet and SSH ports, he said.

The ports were password protected, but using various techniques, VandenBrink eventually discovered the right passwords. That allowed him to get access to where the payment card data was held in memory, including his own.

"I was surprised," he said. "There were thousands of cards in memory."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags intrusionsecuritydata breachExploits / vulnerabilitiesdata protectionmalwarePCI Security Standards CouncilfraudMetafore

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?