Processor Warns of Hacking Trend

Smaller Merchants Especially Vulnerable to POS Attacks

By , April 30, 2012.
Processor Warns of Hacking Trend

Over the past year, First Data, the largest payments processor in the U.S., has seen an uptick in "trolling" - hackers sniffing networks for remote access into point-of-sale systems that are open or loosely protected.

See Also: CISO Agenda 2015: Adding Value to a Security Program with Application Security

The targets: Smaller merchants, those categorized by Visa as Level 4. These merchants process fewer than 1 million transactions per year and account for 32 percent of Visa's U.S. transactions. They also are largely non-compliant with the Payment Card Industry Data Security Standard.

The risk, says John Graham, vice president of global information assurance and risk at First Data Corp., is that because these smaller merchants are not PCI compliant, they are vulnerable to breaches of credit and debit card data. "Over the last 12 months or so, trolling has really become prevalent," Graham says.

So, too, have breaches. Erik Rasmussen, a special agent within the Cyber Intelligence Section of the U.S. Secret Service's Criminal Investigative Division, says most card fraud incidents today stem from POS hacks. "The No.1 way criminals are getting in is through remote access to the backhouse server," Rasmussen said during a recent RSA Conference presentation.

The onus, then, is on processors and banking institutions to educate these merchants on the risks, as well as PCI compliance. But education, experts says, is an uphill battle.

"Level 4 merchants are a huge hole," says Anton Chuvakin, a PCI expert and Gartner analyst. "I've met more than a few that don't even know PCI exists."

Graham agrees. "If you go to a small merchant and ask if they know what PCI is, most will just look at you," he says. "That's a big area of interest to us. We want to be sure they understand PCI and the need for compliance."

Level 4 Risks

Payment card risks have gained greater visibility since the Global Payments data breach of an estimated 1.5 million payment cards was announced on March 30.

But in a March 2 presentation at RSA, Rasmussen of the Secret Service described the ubiquity of POS attacks against small merchants - typically involving malware implanted by the hackers. Nearly half of the card breaches investigated by the Secret Service involve malware, and the retail, food and beverage, and hospitality sectors are the most vulnerable. "Once the hackers get into the system, it's all become too easy for them," Rasmussen said.

Pointing to the $20 million card breach that recently hit 100 Subway locations and exposed 100,000 cardholders, Rasmussen described how easy it was for four Romanians to tap Subway's network and exploit the system for more than a year before striking.

"Payments systems attacks are not going away," Rasmussen said. "In fact, we expect them to grow, as more payments options, through PayPal and Google, for instance, hit the market."

The challenge: Until recently, few small merchants needed to comply with PCI. Most relied on dial-up POS connectivity. Because their POS systems were not IP-connected and stored no card data, they posed no risk of being hacked.

But as more Level 4 merchants upgrade their technology and integrate their systems, they open their networks to common Internet threats - hence the need to comply with the PCI-DSS.

Yet, few small merchants understand the risks.

It's a known problem, even among the card brands. Both Visa and MasterCard , on their U.S. lists of PCI-DSS compliant merchants, note compliance among Level 4 merchants is an unknown. Because Level 4 merchants are not required to undergo compliance audits by qualified security assessors, the card brands take it on faith that these merchants conduct self-assessments.

It's a dicey way to handle card security, says First Data's Graham.

Security Solutions

Payments processors such as First Data have taken the lead on helping Level 4 merchants secure their transactions.

In 2010, First Data released TransArmor, a tokenization product created with RSA for Level 4 merchants. TransArmor tokenizes the card number at the POS. If the system is hacked, the token is meaningless to the fraudster.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Surveillance Software Firm Breached

Hacking Team, an Italian vendor of "easy-to-use offensive technology" that it sells to government...

Latest Tweets and Mentions

ARTICLE Surveillance Software Firm Breached

Hacking Team, an Italian vendor of "easy-to-use offensive technology" that it sells to government...

The ISMG Network