With remote access tools, who needs to steal a physical device to get access to payment data? A recent hack of a parking management service provider proves that access security is vital to keeping customer payment card data safe.
SP+ recently reported that an unauthorized person used the remote access tool of a payment system provider to connect to computers that process payment cards in seventeen or so locations in the U.S. The attacker installed malware that detected payment card data as it was routed through the parking facility payment systems to steal customer names, card numbers, expiration dates and verification codes.
Access to POS Vendor Systems: Gateway to Retail Payment Data
Payment providers, or point-of-sale (POS) providers, are common targets for criminals looking for a way to access larger companies and their customers’ data. The Illinois-based sandwich franchise Jimmy John’s was breached this summer after an intruder stole login credentials from a company’s POS vendor and remotely accessed the POS systems at 216 different locations to steal payment data.
Their POS vendor, Signature Systems, reported that they found malware on their systems that hadn’t been detected by their antivirus. A longer list of other restaurants using the provider was also breached. While the company said they were developing a new application with end-to-end encryption that would block malware, there’s no word on how they planned to stop intruders from accessing their systems in the first place.
Goodwill is another retail chain that was breached via their POS vendor, C&K Systems, which resulted in the theft of more than 800,000 customer records early this year. While no information came out of their investigation about the initial point of entry, experts quoted by BankInfoSecurity.com suggest that a remote access attack was made possible by means of a weak or default password, and/or phishing/social engineering – again another attack on access to systems with payment card data.
Third-Party Access – Threat Not Limited to Just Retail
And not just retail organizations are targets, as this case shows – any provider that swipes a credit card in exchange for services may become a new mark. KrebsonSecurity.com reported on incidences of credit card number thefts starting in February 2014 that hit dozens of carwash locations in the nation.
So what’s the common theme? They all used the same POS system provided by Micrologic Associates, and exploited the remote access tool, Symantec’s pcAnywhere software that was breached in 2012. Symantec announced the tool’s end-of-life in May 2014, with no plans of replacing it. A detective on the case found that default credentials for the tool were never changed, which may have given an intruder easy access.
The Answer: Securing Access
Although encryption is considered a best practice, and using a PA-DSS compliant POS provider is a step in the right direction, cutting off access for intruders is one of the most effective and simple ways to deter a remote access attack.
By employing two-factor authentication, remote attackers can’t access your POS systems armed only with a username and password. An effective two-factor solution lets you generate one-time or event-based passcodes for contractors that might only need temporary access.
As SP+ reported in their announcement about their remediatory actions after the breach:
The malware has been disabled on all affected servers, and SP+ has required that the vendor convert to the use of two-factor authentication for remote access.
Two-factor authentication for remote access is a requirement by PCI DSS and best practice for strengthening access security with applications that process payment card data. To learn more about how to help navigate through some of the new risks in the retail industry, please check out this free guide that provides a detailed overview of the retail industry’s current state of security and recommendations on safeguarding customer financial information.