The explosion in POS malware attacks against U.S. merchants highlights the need for retailers to take bolder security steps. Those include adopting layers of security, strengthening authentication and investing more in threat intelligence, says Troy Leach, chief technology officer of the Payment Card Industry Security Standards Council, and Karl Sigler, threat intelligence manager at security firm Trustwave.
Recent attacks that have involved Backoff malware infections generally could have been prevented using basic security practices, Sigler contends.
"POS systems are critical systems, and two-factor authentication should just be a given for critical systems," he says. "That, along with strong firewall rules and security experts who are monitoring inbound and outbound traffic, would have stopped Backoff."
Many merchants aren't doing enough to adequately protect card data, Sigler and Leach say in this panel discussion with Information Security Media Group.
"It's a challenge to have security be a continuous activity in an organization," Leach says. "But this is what we are pushing. We need to continue to be diligent about security and awareness within the organization, and we need to rethink what are the valuable assets that we are trying to protect."
On Aug. 22, the Department of Homeland Security issued an updated alert about Backoff, an emerging malware strain discovered in July by Trustwave. To date, federal investigators estimate more than 1,000 U.S. businesses have been compromised by Backoff, which typically infects POS systems through the exploit of credentials used to access remote-access management software.
Leach says most of the recommendations noted in that alert line up with what already is called for in version 3.0 of the PCI Data Security Standard.
"Things like configuring the lockout settings, having appropriate firewalls and limiting systems' access with complex passwords - all of those types of things are covered by the PCI-DSS," he says.
And the same tried-and-true best practices still apply, Leach says. "As we've said before, if you don't need it, don't store it," he says. "Many of these businesses are storing cardholder data via legacy systems."
On Aug. 27, the PCI Council issued a bulletin about Backoff, highlighting steps merchants should take to ensure they put best practices in place to prevent network intrusions by maintaining compliance with the PCI-DSS (see PCI Council Issues Malware Alert ).
"Remote access raises a number of red flags, Leach says. "We often see that this remote-access technology becomes the backdoor for attackers."
Merchants must minimize their risks by locking these back doors so that malware cannot install itself in the POS environment, he says.
Sigler also warns that retailers must be mindful not to get too hung up on specific malware strains, but focus more on overall security.
But because many card breaches have been linked to third-party compromises, merchants must ensure they perform adequate due diligence and fully understand measures vendors are taking to secure their systems, both Leach and Sigler say.
During this interview, Leach and Sigler also discuss:
- The need for greater security and fraud awareness among retailers;
- Why chip cards, often referred to as EMV cards, will not stop card-data breaches; and
- How ongoing PCI compliance can help ensure card data is protected.
In his role as CTO and lead security standards architect for the PCI Council, Leach has developed and implemented a comprehensive quality assurance program. Before joining the council, he led the incident response program at American Express, where he reviewed more than 300 cases of account data compromises. Over the past 18 years, he has held positions in systems administration, network engineering, IT management, security assessment and forensic analytics.
At Trustwave, Sigler is responsible for identifying, researching and analyzing security vulnerabilities as well as malware-related attacks and other trending threats. Before joining Trustwave in 2013, Sigler worked as the head of the IBM X-Force Education group for 12 years. He has made presentations on a range of security-related topics, such as intrusion analysis and penetration testing to audiences in more than 30 countries.