Brandon Benson is a senior security analyst at SecurityMetrics, responsible for PCI compliance assessments and security consulting services. SecurityMetrics is a leader in merchant data security and compliance.
According to the U.S. federal government, 2014 brought about an epidemic of point-of-sale (POS) malware or malicious software that affected over 1,000 merchants nationwide. In the last two years, POS malware has compromised 100 million payment cards and potentially affected up to one in three people in the U.S.
SecurityMetrics PCI forensic investigators discovered that remote access is a top avenue hackers use to gain access into merchant systems in order to install custom-tailored POS malware. Other attack vectors include eemail phishing attacks, third-party vendor compromise, insider threats, social engineering, and using vulnerable applications to compromise systems.
Common remote access tools such as RDP, LogMeIn, RemotePC, pcAnywhere, and GoToMyPC are used to allow third-party access to merchant information without physically visiting the location. These tools also allow employees to access work systems from remote locations, a common practice in today’s mobile corporate culture.
If not properly secured, remote access puts companies including merchants, vendors, service providers, and others at a severe security disadvantage by allowing attackers the opportunity to remotely gain access to POS or other systems in the payment environment.
An attacker could breach a merchant’s payment environment via remote access by:
- Scanning the Internet for vulnerable IP addresses
- Running a password-cracking tool on each IP address found
- Beginning a remote access session with cracked username/password information
Once inside the merchant system, the attacker could upload malware, copy sensitive data, and even use the compromised system to attack other computers or networks within the merchant environment. The malware will continue to steal data even after the attacker logs out and may go undetected for a long period of time.
Unfortunately, this type of attack is very easy for a hacker to execute, and is made even easier by free online password-cracking tools.
Take a multi-layered approach to security
POS malware succeeds when system vulnerabilities– cracks in the wall – are present. These cracks allow hackers into merchant systems. The best way to prevent such attacks is to discontinue remote access, but in today’s world, that’s not always a realistic option. Alternatively, by taking simple steps and encouraging a multi-layered approach to security, merchants can secure their organization against a potentially devastating compromise.
Merchants who correctly implement PCI DSS security controls can reduce the risk of malware in their environment. The PCI DSS is a multi-layered security framework that can correctly reduce merchant risk of compromise. The following best practices, if implemented correctly, will reduce the risk of attacks.
- Segregate and restrict access to sensitive systems (PCI DSS Requirement 1.2)
By identifying sensitive systems and isolating them on their own network zone, merchants can control what type of access is allowed into these zones and restrict remote access to only allow two-factor authentication. Further restricting outbound access to only authorized IP addresses would help prevent unauthorized information from leaving the restricted network.
- Change the default username (PCI DSS Requirement 2.1)
To make it more difficult for a hacker to guess your username, don’t use the username for other non-sensitive systems or in any public forums. Instead of using common terms such as “admin,” “administrator,” your company name, or a combination of these, use fictitious names or a combination of characters, symbols, and numbers that doesn’t fit the standard username mold.
- Don’t enable guest accounts and disable/change default accounts (PCI DSS Requirement 2.1)
Guest and default accounts allow anonymous computer and system access. Disabling any guest accounts on each computer protects against unauthorized users. Disabling or changing default accounts makes it difficult for attackers to research installation guides online to get the default username and password of applications and systems. Many POS systems and applications come installed with default or guest accounts and passwords that should be changed to make it more difficult for attackers to enter systems.
- Protect systems against known malware (PCI DSS Requirement 5)
Antivirus or anti-malware programs are updated on a regular basis to detect against known malware. Maintaining an up-to date anti-malware program that scans systems on a regular basis will prevent known POS malware or other malware from infecting systems.
- Establish a process to identify security vulnerabilities (PCI DSS Requirement 6.1)
Using outside sources such as the United States – Computer Emergency Readiness Team, SANS Institute, and vender/antivirus threat feeds, merchants can identify emerging malware and attacks on systems. They can then configure systems to alert and report on suspicious activity, such as new files added to known directories where malware is installed or unauthorized access attempts.
- Restrict access to sensitive systems by business need to know (PCI DSS Requirement 7)
Restrict system access to only the individuals and groups who need to know that information. Configuring dedicated administrator and user accounts prevents the use of credentials stolen from other non-sensitive systems from being used to access sensitive systems.
- Lock out hackers (PCI DSS Requirement 8.1.6)
Set your computer to lock out a user after six failed login attempts. Requiring an administrator to manually unlock accounts will prevent attackers from guessing a few passwords and coming back later to try again. If an attacker only has six chances to guess the correct password, it’s likely their attempts will fail. Once locked out, an attacker will move on to an easier target.
- Implement two-factor authentication (PCI DSS Requirement 8.3)
Two different forms of authentication should be implemented to access a remote access application. When configuring two-factor authentication, factors must contain two of three aspects:
- Something only the user knows (e.g., a username and password)
- Something only the user has (e.g., a cell phone or an RSA token)
- Something the user is (e.g., a fingerprint)
- For example, if you implemented a password and a four-digit PIN sent through SMS to your phone, an attacker would have to learn your password and have access to your cell phone to gain remote access to systems.
- Implement logging and alerting (PCI DSS Requirement 10)
Implementing logging on systems to alert on suspicious activity will allow merchants to respond to possible breach attempts including:
- New processes created
- New login events
- Shared access events
- Disconnect events
- New service installation
- File auditing
- User account created
- Failed logons
- Event log starting
- Registry value modified
- Install and monitor file integrity monitoring software (PCI DSS Requirement 11.5)
Not only should merchants review logs generated by their file integrity monitor software daily, they should also set up logs that alert system administrators in an event of suspicious activity. If a system detects suspicious activity, such as when a new software program is installed in an odd location, or if someone attempts to log in 300 times in a row, log alerting can tip off the internal IT team to begin an investigation.
- Implement vulnerability scanning (PCI DSS Requirement 11.2)
Vulnerability scans are automated tests that passively test systems and networks to identify known weaknesses. These scans generate reports that provide specific information about weaknesses specific to the entities systems and networks. These reports allow entities to find and fix vulnerabilities in a timely manner.
It is estimated that the average hacker could scan the entire internet for possible remote access vulnerabilities once every eight hours. This statistic is exactly why vulnerability scanning is crucial to merchant security. Vulnerability scanning should be an ongoing, or at least conducted quarterly to help locate vulnerabilities, including any remote access problems.
- Implement a risk-assessment process (PCI DSS Requirement 12)
Merchants that take a proactive approach to security will use internal and external resources to identify critical assets, assess vulnerability threats against those assets, and implement a plan to mitigate those threats.
The future of remote access exploitation
Remote access exploitation is a simple attack to conduct, but it is also simple to protect against such attacks by employing the aforementioned PCI DSS requirements. Attackers will continue to use vulnerable remote access applications to their advantage in 2015 and beyond until merchants shore up their businesses against these popular attacks.
32 Comments
Hi…
Industry Views on Combatting the Malware Epidemic Brandon Benson | April 22, 2015 Brandon Benson is a senior security analyst at SecurityMetrics , responsible for PCI compliance assessments and security consulting services.
Thanks for sharing the information
Laminat, Really great post here. I can see the effort and time you put into this… and I love the approach you took to lay it all out.
The ISO code of Ukraine is UA according to the ISO 3166 standard. The local name of the country is Ukrayina. Ukraine capital city is Kiev. People in Ukraine speak the Ukrainian language. In the year 860, Ukraine emerged as a sovereign political entity. The largest city in Ukraine is Kyiv.
Yaaas! I’m so impressed with your details here. Thanks
Love the whole statement. Thanks for sharing
I was seeking this certain information for a very long time good luck.
for trouble shooting problem of Mcafee Error 12152,the simple step is automation process.once the software installed then open the software and then simply click on scan now and wait until the error is resolved.
nice post
Nice Site, thanks for share
Thanks for providing this informative blog.
I love seeing blog that understand the value of providing a quality resource for knowledge.
There are many websites in 2021 using VISA or MasterCard payment processing. Debit or Kredit cards could be locked in several countries, such as Turkey. VISA and MasterCard payment systems could be locked in Betting or Casinos payment processing. As an alternative methods could be used Papara, Enpara, Cepbank or Neteller.
Very nice and detailed article, thank you.
I’m having problems with payment to some sites in Turkey, I wonder what could be the reason? Especially this problem happens with Papara and Payfix payment methods.
It was a useful article,
Thank you.
It was a very useful article, I have a problem with the mastercard payment process at some casino sites in Turkey, thanks.
Very useful article thanks. On some sites in Turkey (Onbahis), I’m having trouble with the payment process (Visa and mastercard), I wonder what could be the reason?
This is an amazing content. The information you provide is valuable. It was fun to read.
Thanks for providing this informative blog. On some sites in Turkey (Klasbahis), I’m having trouble with the payment process Credit Card (Mastercard), I wonder what could be the reason?
Thanks for sharing the information. I hope these recent developments will not hinder our payment processes. Sometimes I get an error when depositing credit card money on Onbahis in Turkey.
this is aweseome thank you so much
The local name of the country is Ukrayina. Ukraine capital city is Kiev. People in Ukraine speak the Ukrainian language. In the year 860, Ukraine emerged as a sovereign political entity. The largest city in Ukraine is Kyiv.
Yaaas! I’m so impressed with your details here. Thanks……
Laminat, Really great post here. I can see the effort and time you put into this… and I love the approach you took to lay it all out.
for trouble shooting problem of Mcafee Error 12152,the simple step is automation process.once the software installed then open the software and then simply click on scan now and wait until the error is resolved.
Love the whole statement. Thanks for sharing…….
Laminat, Really great post here. I can see the effort and time you put into this… and I love the approach you took to lay it all out.
thanks for providing this informative blog………..
I was seeking this certain information for a very long time good luck.
thank you so much for this article
1000s Best Instagram vip bio For Boy-Girls Cool, Funky, Swag, Funny, Attitude, Sad, Love, Romantic, Motivational | Generate trending Bio for Your Profile
Avşa Adası nerede? Nereye bağlı? Avşa’ya nasıl gidilir ve Avşa hakkında çok daha detaylı bilgiye ulaşmak istiyorsanız sitemizden yararlanabilirsiniz.