Most data breaches involving payment card information - and there have been too many in the last two years - can be traced back to a lack of implementation of security measures.
Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now. Many merchants have very immature security programs.
Most breaches involved the exploitation of very simple vulnerabilities, and many of the merchants hit have very immature security programs, Charles Henderson from Trustwave and David Byrne from Bishop Fox have noted in their presentation at RSA Conference 2015. "Future breaches are likely to leverage more complex vulnerabilities as merchants become more secure," they posited, but so far, they have been found doing things like:
- Using the same administrator password for nearly a decade - or not using any
- Failure to use up-to-date AV that would easily discover memory-scraping malware
- Back of house servers configured for remote management utilizing pcAnywhere
- Computers in the cardholder data environment used to browse the internet, download torrents, play games.
- Lack of physical security allowing insiders and outsiders to modify PoS devices and systems by adding skimmers
- Not changing the default password on the devices. In one specific case, a major vendor was found using the same default password for all products since 1990! And this password was publicly documented in an online FAQ, along with names of companies that use these devices.
- Improperly using symmetric encryption keys
- Using just passwords to secure the endpoint
- No drive encryption
- Using one set of authentication credentials across the entire enterprise - or no authentication at all
- Running devices on an administrator account
- Allowing the running of unauthorized programs
- Failing to authenticate endpoints, and not encrypting communication, and so on.
Finally, they offered some tips on how to implement a good PoS security program, and it includes ensuring that no payment card data is stored on registers, enforcing strong authentication policies, not running PoS user interface as “administrator," and keeping software up-to-date and constantly downloading fresh AV signatures.
In addition to this, they say it's a good idea to evaluate the security of data communication, test application servers for vulnerabilities, lock down the client execution environment, use key/certificate-based authentication, and end-to-end encryption with asymmetric keys.
