MAPCO Attack Highlights Retail TrendLegacy POS Devices, Poor Network Security Cited as Factors
One card issuer says a new retail Trojan designed to sniff out card details is likely to blame for the uptick in attacks. Nevertheless, retail security experts contend many malware-fueled breaches could be prevented if merchants took more proactive steps to lock down networks and point-of-sale devices.
The MAPCO attack may have infected all of the 377 convenience stores that connect to MAPCO's corporate network, exposing card data associated with transactions conducted between March 14 and April 21, MAPCO announced May 6 in an FAQ on its website.
Many retail malware attacks are traced back to remote-software access to POS devices and weak authentication for network access, says Nick Percoco, senior vice president at Trustwave, which provides compliance, Web, application, network and data security solutions. As a result, he urges retailers to "only allow certain systems to connect to the corporate network. If you lock down the access and limit the IP addresses that can access the network, you increase security."
Too many retailers rely on weak passwords for remote access to POS networks and devices, Percoco adds. "Criminals know all the default passwords for remote access to certain types of POS devices. So if retailers change those to something that is strong and use more advanced authentication - like two-factor authentication for network access - that would greatly decrease the number of successful attacks."
Many retailers are not taking those steps and instead are leaning too heavily on Payment Card Industry Data Security Standard compliance, Percoco says.
"PCI does not require encryption of data if it's being transmitted over a private network," he explains. "So if you have a merchant with a corporate office and 1,000 locations and the data is being transmitted to other locations over a VPN, it can be sent in the clear. The criminals know if they hack into that environment, they have clear-text data that they can intercept and transmit out."
Bob Russo, general manager of the PCI Security Standards Council, which oversees and reviews PCI standards but has no compliance or enforcement authority, contends that most breached merchants are not following all of PCI's recommended security best practices for mitigating malware risks.
"The attackers are going to go for the lowest hanging fruit," he says. "If your door is locked and hard to open, they're not going to go in and they're not going to try. You have to address some of these things that are in the standard."
Establishing network firewalls, changing default passwords for remote POS device access and monitoring transaction logs would catch or detect most malware attacks before massive amounts of card data is compromised, Russo says. Most breached retailers, however, are not following those steps.
"The lion's share are not PCI compliant when they're breached," he says. "That said, malware is a big issue. Once it's in, do we have ways of detecting it? We need to look at that."
MAPCO points out in its statement about the attack that its systems do not store card data. The company does not make it clear, however, whether it was PCI compliant at the time of the attack. The FBI and MAPCO continue to investigate the breach. On May 13, MAPCO said it had no additional comment to offer beyond its online statements issued May 6.
MAPCO Express, MAPCO Mart, East Coast, Discount Food Mart, Fast Food and Fuel, Delta Express and Favorite Market stores located in Tennessee, Alabama, Arkansas, Georgia, Kentucky, Mississippi and Virginia have been affected.
The MAPCO breach resembles another malware attack that targeted remote POS-system software used by certain retailers in Kentucky and southern Indiana. That attack is still being investigated by federal authorities, says Craig Hutzell, a spokesman for the Kentucky Electronic Crimes Task Force, which is part of the Secret Service (see Retail Breach Contained; Fraud Ongoing).
Marjorie Meadors, assistant vice president and head of card fraud prevention for Louisville, Ky.-based Republic Bank & Trust, one of the card issuers affected by that attack, says these types of malware hacks are becoming all too common.
Card-issuing institutions, like Republic Bank, are upping fraud-detection systems to trace card compromises back to retailers that are breached, Meadors says.
Avivah Litan, a financial fraud expert and analyst with consultancy Gartner Inc., finds it troublesome that malware attacks aimed at retailers are gaining momentum.
"The primary issue is that the bad guys' malware is more sophisticated and advanced than the good guys' security defenses," she says. "PCI compliance hasn't made much difference here because most of the anti-malware and anti-virus software used by these companies to detect the presence of malicious files, as mandated by PCI, frankly, is not up to the job."
She stresses that the industry needs to update payments systems and implement stronger card-data security, such as chip cards that conform to the Europay, MasterCard, Visa, EMV standard.
An executive with a card-issuing institution not affected by the MAPCO breach, who asked not to be named, says a new Trojan known as vSkimmer is likely behind many of the recent retail malware attacks.
vSkimmer is designed to steal payment card data from Windows-based point-of-sale terminals and then transmit that data to remote servers, the executive says. The Trojan also has the ability to steal magnetic-stripe data, such as account numbers, expiration dates and security codes, from the backs of cards that are swiped at infected terminals. vSkimmer infects POS terminals connected to the breached network, the executive adds.
"The malware is getting much more robust," the executive notes, and is compromising merchants that have been signed off for PCI compliance. "It sits on the merchants' systems and seeks out card data. Current PCI may be immune to prevent [this type of attack], as PCI may not cover what this is accomplishing."
Though the malware that in February breached Bashas' Family of Stores was never named, this executive says vSkimmer was likely used.
Bashas' corporate network was targeted by never-seen-before malware that allowed attackers to gain access to internal systems and capture sensitive payment information, the company said shortly after the malware was discovered. Bashas' said all 130 of its locations in Arizona, operating under the Bashas' supermarkets, AJ's and Food City brands, were potentially affected.
The malware behind the breach at Schnucks Markets Inc., announced March 30, also was designed to capture payment card details. Schnucks' said it had discovered the malware on its point-of-sale network after customers and banking institutions had traced fraudulent transactions back to cards that had been used in its stores. Schnucks' operates in Wisconsin, Missouri, Illinois and Indiana. A class action lawsuit has been filed against Schnucks in connection with the breach (see Schnucks Sued over Malware Attack).
Percoco says defenses to address today's malware are improving. But legacy POS systems and devices will take a while to upgrade, meaning the industry can expect vulnerabilities to linger for a while, he adds.
"The real defense there is point-to-point encryption and encryption at the swipe," he says. "There are initiatives out there for that, but there is still a high population of merchants in the U.S. that have point-of-sale systems that are ripe for these types."