FS-ISAC: Remote-Access Attack AlertOffers List of Risk Mitigation Recommendations
Remote-access attacks waged against smaller merchants are a growing threat, according to a cybersecurity alert published July 7. The alert was released by the Financial Services Information Sharing and Analysis Center, along with Visa, the U.S. Secret Service and The Retail Cyber Intelligence Sharing Center, which provides threat intelligence for retailers.
While industry attention in late 2013 and early 2014 was focused on the large-scale RAM-scraping malware attacks that resulted in breaches at big-box retailers, including Target and Home Depot, more attention is now being paid to remote-access attacks against point-of-sale devices commonly used at smaller merchants, says Charles Bretz, director of payment risk at the FS-ISAC. The organization provides a conduit for information sharing among financial services institutions.
"We are seeing a shift in the breaches of card data," Bretz says in this interview with Information Security Media Group. Now that many of the larger retailers have implemented end-to-end encryption and tokenization, in conjunction with their rollouts of EMV-compliant POS terminals, hackers are turning their attention toward smaller retailers, he says.
"Criminals continue to find success by targeting smaller retailers that use common IT and payments systems," Bretz explains. "Merchants in industry verticals use managed service provider systems. There might be 100 merchants that use a managed service provider that provides IT and payment services for their business."
These managed service providers rely on remote access to POS systems for maintenance and repair, he says. And too many merchants who use these providers' services have failed to take advantage of multifactor authentication for remote login, Bretz says. In many cases, the default passwords provided by the managed service provider are not changed by the retailer once the system is installed, he adds.
"The catalyst for this alert was that the Secret Service and our members are reporting that remote access at these common payment systems used by smaller retailers is being exploited by the cybercriminals," Bretz says.
To help the industry shore up these remote-access security gaps, the alert offers a long list of recommendations, including urging the use of multifactor authentication as well as disabling remote access when it's not in use, Bretz says. It also offers insights on helping to prevent phishing attacks waged against employees to gain access to login credentials.
During this interview, Bretz also discusses:
- Why merchants rolling out EMV-compliant terminals should also invest in tokenization and encryption;
- How the FS-ISAC is working to enhance cyberthreat intelligence and information sharing with the retail sector; and
- The role banks play in helping their retailer customers get up to speed on addressing cybersecurity vulnerabilities.
Before joining the FS-ISAC, where he supports the center's Payment Processor Information Sharing Council and Payment Risk Council, Bretz spent more than 20 years in executive management with a major regional bank. His experience has included online sales, online service delivery, mobile banking and bank cards. Bretz also has served on board of directors of NACHA - The Electronic Payments Association.