Caveat merchant: new keylogger stealing credit card data

Just in time for holiday shopping, the forensics team at SecurityMetrics has discovered a new keylogger that is being used to pilfer cardholder information. The new hacking tool – Logixoft’s Revealer Keylogger – isn’t yet being flagged as malware by most antivirus products, so even merchants with up-to-date antivirus protection might get burned. Here’s the story.

Revealer works like the Blazing Tools Perfect Keylogger that has been used by hackers for the past couple of years. If a hacker is able to bypass a business’ access controls, he (or she) can install Revealer on the card terminal’s payment application. Revealer captures the card data as it is entered into the terminal either by swiping the card or manual keypunching. Then the stolen card data is emailed or FTP’ed out of the system. Suddenly you’ve got a data breach.

We have also recently seen hackers installing multiple versions or copies of keyloggers like Revealer in different locations on the merchant’s system and under a variety of file names. They are apparently doing this in an attempt to avoid detection, thinking or hoping that not all of their malware iterations will be found and removed.

Initially, AV products ignored the Blazing Tools keylogger because it’s a commercial product that is advertised as a way to monitor employee or child activities. Now most AV products identify that keylogger as possible malware, but to date we know of only one AV vendor that has put Revealer on their watchlist. We are informing all of the major antivirus vendors about the problem, so hopefully that will change soon.

Meanwhile, the best defense against Revealer is to keep hackers out of your system in the first place, using the same access control measures required to conform to the Payment Card Industry Data Security Standard (PCI DSS). Harden your system to prevent unauthorized remote users. Use complex passwords with alphanumeric and special characters. Be sure to change the default password that comes with your payment software. Avoid an always-on VPN connection if you can, and ensure that all remote access requires two-factor authentication.

Also, on the outbound side, use defense mechanisms to prevent hackers from exporting harvested data via FTP or a covert SMTP server. To avoid this, segment your firewall so that payment and business applications aren’t on the same partition. Then filter all of your outbound Internet traffic so that data from your payment application can only go to your processor or other trusted sources. Since processors no longer require an FTP option, disallow FTP traffic for your payment application. And so on.

Keyloggers are particularly lethal, and external vulnerability scans don’t usually pick them up. It’s just the nature of the beast. But following standard procedures for protecting your card data can help hold the fort against Revealer and any other new keystroke recorder that comes along. You don’t leave your office door unlocked. The same caution should apply to your payment systems.

Posted on December 22, 2009 by Dave Ellis, Director of Forensics

Unwelcome holiday present: small merchant data breaches

Black Friday is a few days away, the holiday shopping season will soon be in full swing, and retail sales reports will be read like tea leaves for signs that the recession will soon be just a bad memory. But as transaction numbers climb, so do data breach risks – particularly among smaller merchants who are typically unprepared to fight data thieves.

At the Visa Security Summit earlier this year, industry experts agreed that hackers now have small and midsize businesses in their sights for a purely opportunistic reason: the smaller guys are easier targets these days. It’s much harder to crack mega-enterprises that have dug deep into their IT budgets to defend their networks against rootkits, keyloggers, packet sniffers and all the other tools of the hacking trade.

SMBs, as a rule, have done little to protect themselves. Panelists at the same summit cited various studies indicating that nearly 20% of small businesses don’t even use antivirus software; 60% fail to encrypt their wireless links; and just 60% of Level 3 merchants have complied with the Payment Card Industry’s Data Security Standard (PCI DSS). Level 4 merchants – the smaller mom-and-pop types – are believed to lag far behind on compliance numbers.

On the PCI DSS front, part of the blame lies with the misconception that becoming compliant is as painful as having a root canal. Surveys show that 86% of small retailers are aware of the standard and 88% place a priority on data security, but the prospect of jumping through PCI’s hoops stops them cold. That’s because, so far, the industry has done a relatively poor job of getting them the help they need. Merchants whose computer knowledge stops at booting up literally don’t know where to turn.

The truth is that most merchants can fill the PCI bill with little trouble if they have someone with PCI knowledge who can walk them through the Self-Assessment Questionnaire (SAQ) and help them remediate any shortcomings in their security procedures. For all of the bellyaching about supposed complexity, PCI DSS is really nothing more than a set of basic rules that should be part of any business’ security program. And for all of the complaints about added expense, PCI fees are just a cost of doing business in today’s wired world – much like installing security alarms, paying a property lease, or building and hosting websites.

Whether or not hackers think it’s worth their time and effort to purloin credit card data from smaller merchants remains to be seen, but this holiday season may be the most revealing test yet of the theory that neighborhood grocery stores, boutiques and dry cleaners are next in line. With 24 million Level 4 merchants around the world, the cumulative damage could easily exceed that of the widely publicized mega-data breaches. Happy holidays? Bah, humbug!

Posted on November 23, 2009 by Wenlock Free

New research: Biggest card security risk is at merchant level

Malware, counterfeit card fraud and card-not-present fraud are at the top of the list of threats to merchants today, according to a new report from the research firm Aite Group this month. The research report highlighted merchants as the most vulnerable position in the card data security ecosystem.

The report, “Card Data Security: In Search of a Technology Solution,” talked to heads of risk management for North American issuing banks or payment processors to determine what they saw as the biggest card security problems, the responsibilities of stakeholders and possible security solutions that could minimize the risk.

Who is most at risk? The report says 62% of survey respondents said the merchants, followed by acquirers, with 43% of the respondents naming this group as vulnerable or very vulnerable to security breaches. ISOs may have the least to worry about, with only 30% of respondents calling them vulnerable or very vulnerable to security breaches.

Aite’s Nick Holland points out that the promising solution of shifting the industry from magnetic stripe cards to smart cards, also called EMV architecture, may never happen.  Holland  warns that  “with the deeply entrenched magnetic stripe infrastructure in the United States, and the cost and effort involved in transitioning stakeholders to chip and PIN infrastructure,” may preclude a move to more secure EMV architectures.

More info on the report is here.

Aite is also currently offering a survey for C-level technology and operations executives at North American banks to participate in to share their views on IT strategy trends in the banking industry. Click here to participate.

Nearly 90% ‘trying to implement PCI Compliance process’ says report

A new report out from the Institute of Internal Auditors reveals that nearly 90 percent of companies surveyed are trying to implement a PCI compliance process. The report also says that 56 percent of companies are in compliance with PCI DSS today.

The entire report, “Moving Toward PCI Compliance,” is available here. 

As a bonus the report offers some tips for internal auditors to help achieve PCI Compliance from the IT Compliance Institute as well.

Has your third party vendor put you at risk?

Since 2006, over 70 retailers and payment processors have disclosed breaches that involved tens of millions of credit and debit card numbers, this according to the Privacy Rights Clearinghouse.

As more and more small businesses comply with PCI DSS and are considering their systems' resilience to attack, being hacked by a bad guy is still –as it should be -- of utmost concern in the eyes of most business owners.

But what if your security expert is the one that puts you at risk? Would you know?

A business person runs a business. Regulations like PCI DSS and other security laws are increasingly making business owners responsible for ensuring the integrity of their computer systems and credit card data. While simple processes such as where to store paper credit card data or ensuring systems are locked in an appropriate facility within the business are fairly routine processes for a business owner to address, ensuring that computer systems are not only PCI-compliant but resilient to a hack goes beyond most business owners’ expertise.

Most often a business will engage a 'security expert.' If a new system is required and deployed that could offer ‘improved’ security, most businesses rely on their POS (Point of Sale) vendor to set up a system in a secure manner – an arguably reasonable expectation.

Not so fast. Our forensics team was recently called in to perform an investigation for a small business owner in the Southeastern US that was hacked. In reviewing the log files and performing our investigation we uncovered a very disturbing fact -- the third party vendor had left behind information on the system that detailed several other businesses in the region that were also under contract to that same vendor including passwords and computer configuration data.

It was, in this case, a POS vendor and not a security vendor that had performed the system’s security setup. Attackers then used this information to access the other businesses named in the documentation left behind by the vendor. In each instance it was found that the business was set-up uniformly and exactly as  each of the other businesses were set up, thereby making them all insecure. Additionally, each business had been set up to utilize the exact same default passwords for each location, giving the attacker immediate administrative access to over 40 additional businesses.

There are reasons to be concerned about leaving your data security in someone else’s' hands. Your customers entrust your business to protect the information they share with you. Breaching that trust could mean less business and could be far more damaging than monetary consequences like paying a fine for a security breach or a noncompliance fee to Visa.

Picking your security vendor, and learning how your business can be more secure working with third party security or other vendor should be a critical decision for any business owner.

-Dave Ellis, Director, Forensic Investigations

MasterCard’s changes could affect 2000 merchants

SearchSecurity’s Marcia Savage put together a great summary and industry response to increased PCI requirements announced last week by MasterCard.

The new rules, she reports, will mean that merchants processing between one and six million transactions annually will, or Level 2 merchants, will be required to use a PCI-approved auditor to complete an annual onsite data security assessment by Dec. 31, 2010.

MasterCard estimates that “fewer than 2,000 merchants will be directly affected by the revised rules” according to the report.

Just What Is the Cost of a Breach?

What is the cost of a breach to a retailer?

We get  asked this question all the time. Putting a number on this is exceptionally hard with so many variables coming into play. We expect that it is “a lot”  -- as TJX companies found out this week.

The company, which owns large volume discount retailers T.J. Maxx and Marshall stores, was the victim of perhaps the largest credit card breach disclosed by a retailer to date. This week it was announced that that have settled lawsuits with over 41 states in a deal. Back in January 2007 TJX disclosed that its systems were hacked over a period of 18 months without security detecting the theft.

Under the terms of the settlement, the company has agreed to pay $9.75 million according to multiple reports.

SearchSecurity has a complete recap of the settlement here.