What’s with all the Point of Sale Data Breaches?

11979892_s

Just one month into 2014 and the tech media landscape has already begun to cluster around one dominant theme: Data Breaches from Point of Sale Attacks.  First it was Target.  Then it was Neimann Marcus.  Then Michaels.  Now White Lodging, a company that manages Hilton, Sheraton, Marriott, and Westin hotels.

While much of this conversation is indeed sensationalized media hype, there is clearly something going on.  Someone, or rather some group of hackers, have successfully compromised millions of credit and debit card accounts, and they’ve done so by attacking the POS systems of multiple, multi-million dollar corporations.  Whether the attacks are connected by some centralized, orchestrating body has yet to be determined; but, 4 in less than a month means something, and at this point there’s no telling how many more will be exposed.

This trend is significant to anyone participating in the world’s computerized economy, and as such Emsisoft would like to start a conversation of our own.

A Background on Point of Sale Attacks

A Point of Sale attack is one that targets the computer on which a monetary transaction takes place.  The registers at your favorite grocery store or retailer are simply modified computers running a specialized version of Windows.  Today, most POS systems use Windows XP or Windows XP Embedded.  This means that creating malware for a POS system does not require any sort of specialized knowledge or skill set.

Credit/debit card information becomes vulnerable on a POS system because it is transferred internally in an unencrypted state.  Although the information is encrypted when it enters the register terminal, when it is stored on the terminal and when it leaves the terminal and is sent to an external server, it is not encrypted as it passes from one point in the terminal to another.

A hacker name Albert Gonzalez was the first person to notice this caveat and leverage it to his advantage.  From 2005 to 2007, Gonzalez stole and resold an estimated 170 million credit/debit card account numbers, from TJ Maxx, Dave & Busters, and other corporations of the like.  In 2010, Gonzalez was sentenced to 20 years in prison; yet, his POS attack technique remains free and is the inspiration for most attacks up to today.

Gonzalez used what’s called a RAM scraper, a malware program that can collect unencrypted financial data from a machine’s temporary memory as the data is being transferred to different points within the machine.

There are indeed other methods used to glean information from a POS system, but the RAM scraper has consistently proven to be the most cost effective.  Another common approach has been to affix individual terminals with malicious scanning hardware, as was actually done to Michaels back in 2011 and Chicago-based grocery chain ALDI in 2010. This method will work, but it requires physical installation on an individual machine, which increases the chance of getting caught and decreases the extent to which the attack can be propagated, as it’s a whole lot easier to worm your malware through a network than it is to install a fake card reader in-person, by hand.

Point of Sale Attack Processes

As with any computerized attack, creating the malware is only half the battle.  To be effective, attackers must also infiltrate the systems which they wish to infect and export the data they want to obtain without being detected.

Infiltration

As it stands right now, the PCI Security and Standards Council recommends but does not require POS systems to be network isolated.  By “network isolated,” they mean that a secure POS system would not be connected to anything outside of itself – like personal computers or other networks connected to the Internet.  From a practical standpoint, this recommendation is almost impossible to implement, as POS systems require regular maintenance and updates and must be able to export business data to external servers.

POS protection therefore utilizes whitelisting software.  Whitelisting software can regulate which “channels” a POS can communicate on and receive updates from.  If an attacker can hack a POS’s whitelisting software, they can then place their channel on the system’s whitelist and begin communicating with the system.  If this proves too difficult, the attacker could simply try to phish corporate employees to obtain direct access to the corporate network through a backdoor entryway.

Whichever way communication is established, the attacker must then obtain administrative access to the POS system.  As with hacking a personal computer, there are a number of ways to go about this.  What it ultimately boils down to is finding administrative log-in credentials through some form of password cracking, such as a key logger or brute force.   Once these credentials are obtained, the chosen RAM scraper can be loaded onto the POS system to collect data.  But the job doesn’t end there.

Exfiltration

Data collected by a RAM scraper is only valuable if it can be collected by a human attacker.  That’s because attackers can sell that data on Internet auction sites to the highest paying bidder.  Accordingly, most POS systems have stringent security measures set in place to control the exportation of financial data.  Namely, it has to be encrypted, and it is only supposed to be sent to “whitelisted” locations.   To bypass the first measure, attackers can simply encrypt their exportation transmissions so as not to raise suspicion.  Attackers can also time exportations to co-occur with other legitimate ones, so as to hide within the noise.  To bypass the second security measure, attackers can identify and compromise whitelisted servers, and use them as “staging points” for yet another transmission to compromised third-party servers of seemingly innocuous websites.

When all is said and done, an attacker with administrative credentials can scrub the POS system to bury their footprints, or they can program the RAM scraper to scrub itself.

BlackPOS

One of the most popular RAM scrapers in use today is called BlackPOS.  BlackPOS comes in a number of variations, most of which can be purchased on hacking sites and one of which was used on Target.

On February 4th, computer security journalist Brian Krebs published an interview with two analysts who had encountered BlackPOS as early as January 2013, when their security firm PSC helped an undisclosed retailer remediate infection.  Krebs’ conversation with the two analysts, Tom Arnold and Paul Guthrie, is quite lengthy but also quite informative and interspersed with many important distinctions, all of which point to BlackPOS being much more advanced than your run of the mill RAM scraper.

The analysts state that the BlackPOS they worked with over a year ago actually uses an inter-communications process hook, to make itself part of the POS system and to scrape specifically for credit/debit card numbers as opposed to collecting massive chunks of code that attackers have to sort through by hand.  They also spoke about the malware’s exfiltration process; notably, they never quite figured out how it worked, but they did find that the process was based on timing itself to hide within the “noise.”  Thirdly, January 2013’s BlackPOS could scrub it’s footsteps with amazing precision.  The malware had a worm like component and would propagate through local POS networks searching only for machines with POS software.  If a machine didn’t have the software, the malware would self-destruct and leave no trace of its presence behind.

That BlackPOS had these capabilities over a year ago suggests that the variant used to attack Target was even stronger.  What’s most interesting about this is that before Krebs’ interview with the analysts on February 4th, HP actually published an analysis of BlackPOS’s evolution on January 31st.  This analysis compared a 2012 BlackPOS to the variant purportedly used in the attack on Target, and it revealed two main differences:

  1. Target’s BlackPOS registered itself as a Window’s service with function create_and_start_service, whereas 2012’s BlackPOS was a command line .exe.
  2. Target’s BlackPOS exfiltrated data once a day, by calling an upload_log_file function between the peak business hours of 10 AM and 5 PM.

In stark contrast to what Arnold and Guthrie had to say about 2013’s BlackPOS – “If it is the work of just one guy, he’s absolutely brilliant” – HP was largely dismissive of the evolved variant used on Target, stating it was “not overly sophisticated or technically challenging.”

The Future of POS Attacks

Even just the variation in interpretation of BlackPOS’s complexity points to one of the biggest obstacles in combating POS malware.  If expert analysts can’t come to a consensus, how can policy makers?  If the PCI is setting standards, why are they viewed as recommendations instead of obligations? And if independent journalists like Krebs know about POS attacks before authorities, how are those with the power to remediate ever to keep up?

Complicating things even further is that on April 8th, 2014, Microsoft cuts support for Windows XP, the OS of choice for the majority of POS systems in use today.

In response, American policy makers have begun to debate the switch to a newer type of chip-and-PIN based credit/debit card that would replace magnetic strip technology. This new technology would make it harder to fabricate fraudulent cards and increase the cost of doing business for attackers, but it would do nothing to decrease the efficacy of RAM scrapers.  This debate is also layered with many political implications regarding the FTC, the bipartisan nature of which has made progress slower than dial-up Internet.

At the end of the day, it is largely this slowness to respond that has allowed POS attacks to persist and achieve success.  In fact, Target Corporation actually discussed switching their rewards-based credit cards to chip-and-PIN technology a full 10 years ago.  Even more telling is Verizon Corporation’s recent investigation on data breaches, which shows a 25% increase in breaches that persisted undetected “for months or more,” from 41% in 2010 to 66% in 2012.

There is indeed a lot of hype surrounding this situation, but there’s also quite a bit of legitimacy that needs to be discussed and resolved.  4 POS data breaches in just the last few months represents only what the media is covering.  The facts that analysts were working with a BlackPOS variant that infected an undisclosed retailer in 2013 and that the malware has evolved over time both suggest that the likelihood of future attacks – or at least the coverage of ones that have already occurred –  is quite high.

Solutions to this game of cat and mouse will include consensus among the computer security community at large…and maybe even a little bit of behavior blocking for good measure ;)  In the meantime, we here at Emsisoft hope you have a nice (data-breach free) day.