Each reported breach is a nightmare, but the good news is that each one can also teach acquirers and merchants useful lessons about securing payments data.
When fast-food chain Wendy’s Co. became the latest brand-name merchant to fall prey to a data-stealing malware attack in late January, the news served as a reminder to merchants everywhere that, no matter how strong they think their network security is, hackers will find a way to beat it.
The breach was spotted when security experts linked fraudulent credit card transactions back to several card-account numbers recently used at Wendy’s locations. Within a couple weeks of announcing the breach, the restaurant chain confirmed the presence of malware at several of its locations. Wendy’s declines further comment while its investigation is ongoing.
This hack is the latest in a long line of high-profile data breaches in recent years that includes such tier-one merchants as Target Corp., The Home Depot Inc., Michaels Stores Inc., and Wyndham Hotels and Resorts LLC. With each reported breach, merchants are discovering anew that even following the Payment Card Industry data-security standard (PCI)—a set of guidelines sponsored by all the major card networks—is not enough to thwart hackers.
“We were breached one month after a PCI audit and found to be compliant,” says Mike English, vice president, product development for Princeton, N.J.-based Heartland Payment Systems, which suffered a huge breach in 2009. “We learned that to beat hackers, we need an offensive security strategy, not a defensive strategy.”
Indeed, observers say most merchants are still adopting a bunker mentality when it comes to securing data. They’re focusing on securing firewalls to keep criminals out, rather than looking at where vulnerabilities exist in their systems and understanding the methods criminals use to exploit them.
Looking Like an Insider
The first lesson gleaned from merchant breaches is that the weakest link in any data-security plan remains the human element. Employees can inadvertently circumvent security standards by opening emails or attachments containing malware, says Chris Novak, a director on the risk team at Verizon Enterprise Solutions, a division of Basking Ridge, N.J.-based Verizon Communications.
Employees’ penchant for opening what they consider to be innocuous personal emails at work is a major reason phishing attacks have been on the rise since 2011, though the growth rate slowed in 2014, according to Verizon’s 2015 Data Breach Investigation Report.
In 2014, 23% of recipients opened phishing messages and 11% clicked on attachments. In previous years, the effectiveness of phishing campaigns was between 10% and 20%, according to Verizon.
Phishing attacks plant malware within emails or attachments. When the message or attachment is opened, the malware is launched onto the user’s network, where it begins gathering data about the network and its inner workings. It then transmits the data back to the virus’s creator. Malware can also be planted by Web sites that employees visit during the work day.
“One reason phishing attacks have been on the rise is because hackers are finding it easier to have someone hold the door open for them, rather than try to break it down to gain entry to a system,” says Novak. “The human component is overlooked in data security. No matter how well a merchant educates its employees about how to spot potential phishing attacks, if they have a high turnover rate, that knowledge leaves with the employee.”
What makes phishing attacks difficult to stop is that criminals are becoming savvier at gathering information about an employee from social and professional networking sites. This lets them craft email subject lines likely to appeal to the employee, such as one that references a recent trip.
Criminals can gain access to employee emails using a variety of methods that include buying mailing lists from spammers and scanning Web pages and social-networking profiles. They can also purchase lists from employees working inside the company, security experts say.
Typically the malware launched from a phishing attack targets an employee’s credentials, such as user name and password, to gain access to applications within the merchant’s network. Once inside the network, the hacker can map how databases are linked to specific programs and identify vulnerabilities in those applications that can be exploited.
Hackers who steal employee credentials can also use them to send malware-infected emails internally to gather the credentials of higher-ranking employees who have fewer restrictions on accessing sensitive applications and databases, according to data-security experts.
“Once a hacker steals an employee’s credentials, they are hard to detect because they look like an insider moving through the system,” says Fred Kost, senior vice president for Hytrust Inc., a Mountain View, Calif.-based provider of cloud-based security-automation solutions.
Other forms of employee credentials include a merchant account and merchant identification. The latter are typically used to steal financial data and even move large sums of money out of a merchant’s, processor’s, or financial institution’s account via the automated clearing house or a wire transfer to an account controlled by the hacker, Verizon’s Novak says.
‘Out of the Norm’
What most merchants don’t realize about phishing attacks, or about data breaches in general, is that hackers can lurk undetected inside a merchant’s back-office systems for months, mapping the data pathways and probing for vulnerabilities while waiting for the right moment to strike.
Many merchants that have been breached learn during the post-breach investigation that the hacker was inside their system for six to seven months, on average, prior to stealing the data, says Novak. Most merchants learn they have been breached only when cardholder data in their possession has been used to perpetrate fraud, he adds.
Once the data is stolen, it is either quickly resold to a fraud ring or immediately used to perpetrate fraud. Criminals know that, once a stolen card account is flagged, it won’t take long for cybersecurity experts to work backward to identify where the information was stolen and shut down the compromised accounts.
Stealing credentials to resell is becoming a bigger motivation for hackers as evidenced by the increasing number of Web sites popping up where criminals can purchase someone’s credentials. Credentials to a PayPal account with a guaranteed $500 balance can sell for more than $6, and credentials to a Facebook account fetch about $3, according to data compiled by Trend Micro.
Two of the most effective ways to prevent phishing attacks are better internal governance of who has access to sensitive data and monitoring employee movements through the network to spot behavioral anomalies. These anomalies might include an employee sending a command to an application to release data when he has no need for that information.
“If an employee doesn’t need access to sensitive data, don’t give it to him,” says Kost. “Monitoring behavioral patterns of employees also helps spot when hackers have stolen someone’s credentials through behavior patterns that are out of the norm for that employee.”
In addition to continually educating employees about the risks of opening email from non-trusted sources, it is recommended merchants limit employee access to certain data, require employees to log in to access data to create a record of who is viewing the information, limit data and application access to specific times of the day, and require regular password changes, according to Ken Musante, president of Eureka Payments, a Eureka, Calif.-based transaction processor.
“This typically has not been a core function of most businesses,” Musante says by email.
Another lesson from recent breaches: Third-party applications represent a point of vulnerability for merchants. Merchants must rely on the third party to make sure their network has not been compromised, but, increasingly, many third-party technology providers are being targeted as gateways to a merchant’s database.
In 2015, Verizon found that, in 70% of the attacks where the motive for the attack was known, a secondary victim was targeted. For example, a point-of-sale terminal installer that also maintains the equipment for its customers can be targeted by a hacker.
Once inside the installer’s systems, the hacker can gather the credentials needed to gain entry to the merchant client’s networks, which are the intended target.
Some hackers may also target a vendor to learn how its application works so it can be manipulated when the targeted merchant client is attacked. “We are seeing more of these types of hybrid attacks,” Novak says.
How to gauge the risk third-party applications pose? Security experts recommend viewing these applications from the perspective of the hacker. That broadens a merchant’s perspective about where vulnerabilities in its system lie.
“Third-party applications can be independently tested for security purposes, but, even if the app is secure, the installation can inadvertently open up holes further downstream in the network if installation is not done in a secure manner,” says Troy Leach, chief technology officer at the Wakefield, Mass.-based PCI Security Standards Council, which oversees development, management, and educational awareness of PCI. “Merchants should not overlook the security of third-party partners.”
Arguably, the strongest measure merchants can take to protect themselves is to devalue cardholder data from the moment it enters their POS system. The means to do this lie in end-to-end encryption and tokenization.
Encryption makes card data unreadable by using an algorithm to obfuscate it as it is entered into the POS terminal. The information can only be unscrambled by someone holding the key. This is typically the credit card processor.
Even if a criminal intercepts the encrypted data, it is unlikely he will have the expertise, resources, or time needed to recreate the algorithmic key needed to decrypt the data.
Tokenization removes credit card data from a merchant’s POS network and replaces it with a randomly generated sequence of characters and numbers. If a criminal intercepts a token, the data within the token is worthless to him.
“Encrypting data and using tokens take the data out of the merchant’s system, which reduces the threat of being hacked,” says Steve Petrevski, senior vice president, fraud and security for Atlanta-based First Data Corp.
So, a third lesson from recent breaches is to find a partner to provide encryption. After suffering its data breach in 2009, Heartland partnered with Voltage Security, a Cupertino, Calif.-based vendor of end-to-end data-encryption solutions, to provide encryption as part of the processor’s Heartland Secure solution.
Heartland now has more than 200,000 clients using Heartland Secure and has received no reports of breaches from those customers. Should a merchant using Heartland Secure be hacked, the processor guarantees to pay all fines on the merchant’s behalf. The average cost to a merchant per account breached in 2014 was $201, up from $188 a year earlier, according to Traverse City, Mich.-based Ponemon Institute LLC, English says.
And that doesn’t encompass all breach costs, which can include legal action. Several card issuers, for example, brought a class-action suit against Target Corp. in 2015 just weeks after the department-store chain reportedly agreed to pay as much as $67 million to financial institutions that issue credit and debit cards on the Visa network. The lawsuit was expected to be settled out of court.
Target, which at the time was also reportedly negotiating a settlement with MasterCard Inc. on behalf of card issuers that had accounts affected by the breach, estimates that about 40 million cards were compromised during the 2013 holiday shopping season.
Most Sobering Lesson
Of all the lessons to be learned, the most sobering is that hackers are constantly evolving their methods to circumvent merchant security. They know that, once a data breach is discovered, cybersecurity experts will quickly develop defenses to thwart similar breaches in the future.
“Hackers excel at imagining new ways to breach security, while merchants think more about technological security fixes than about the threat hackers pose,” says Gideon Samid, chief technology officer at BitMint, a Washington, D.C.-based provider of digital-currency solutions, and author of the monthly “Security Notes” column in Digital Transactions.
“The deeper merchants drill down when assessing the security threat and measure how easily their defenses can be defeated, the more likely they are to create defenses that make it more costly for the hacker to try to defeat them and move on to someone else,” Samid continues.
Neutralizing the Mobile Security Threat
Some 64% of American adults owned a smart phone as of the spring of 2015, up from 35% at the same time in 2011, according to the Washington D.C.-based Pew Research Center. That means merchants and acquirers need to expand their data-security measures to include the mobile channel.
For merchants, the key to data security in the mobile channel is locking down the server that runs their mobile application, not just protecting their mobile application from malware.
“A lot of merchants make the mistake of focusing only on securing their mobile app because they think that is what hackers are targeting, but the real target is the host server because it connects to other servers and databases in the merchant’s network,” says Chris Novak, a director on the risk team at Columbus, Ohio-based Verizon Enterprise Solutions.
What most merchants fail to recognize, Novak says, is that once a mobile app’s defenses are broken, criminals can reverse-engineer the app to communicate with the host server and give it commands to provide cardholder data or induce it to show where that information resides within the merchant’s network.
If the host server is not secure or regularly monitored for suspicious activity, hackers can use access to the server to roam through a merchant’s network at will.
“Just because an app was not originally written to perform the commands a criminal wants it to, does not mean it can’t be reverse-engineered to give those commands to the host sever,” Novak says. “Performing regular vulnerability scans on host servers to look for commands coming from an app that wouldn’t normally give [those commands] is essential.”
Android is the most vulnerable mobile platform, with 96% of mobile malware targeted at it, according to Verizon’s 2015 Data Breach Investigation Report. Further, more than 5 billion downloaded Android apps are vulnerable to remote attacks, the report says.
“Merchants need to take steps to secure their back-end mobile infrastructure as well as their app,” warns Novak.