A Q&A with Chris Novak of Verizon RISK Team
According to the 2014 Verizon Data Breach Investigations Report, point of sale (POS) intrusions accounted for fourteen percent of the 63,437 sampled data breach incidents. To get a better sense of this threat and how organizations can arm against it, I spoke with Chris Novak, global managing principal of Investigative Response at Verizon RISK Team.

Can you explain point of sale (POS) attacks?
POS is where any retail transaction starts and it happens when the card is swiped at a terminal, or it might happen, in the case of an ecommerce transaction, through a web portal or mobile application. POS intrusions typically happen through brute force attacks, stolen credentials and RAM-scraping malware.

Can you give us a layman-friendly definition of RAM-scraping malware?
RAM-scraping malware is designed to scan and “scrape” the memory of a POS system, tracking data such as cardholder’s name, card number, expiration date and security code. Because this data can’t be encrypted in POS system memory it’s especially vulnerable.

I’ve never seen a hacker that looks at someone’s PCI compliance before they attempt to hack into a system.

Can you describe the ‘cradle-to-grave’ journey of data at a POS?
The consumer swipes their card at the POS terminal. That data, usually the full track or CVV (data on the magnetic stripe) is picked up by the terminal.

• The transaction moves from the POS terminal to the store’s server.
  • The server will then take the transaction data and in some cases perform some pre-analytics on the transaction before it even goes out for authorization. (For example, some stores have fraud detection mechanisms.)
• In most cases, the data then goes on to an aggregation point at the store’s headquarters or datacenter, which collects the data and sends it out to the retailer’s bank or processor.
• The retailer’s bank processor will then look at the account number. The first several digits on every credit card are called the BIN or bank identification number, and that identifies the bank that actually issued the card, whether it’s Capital One, Bank of America, Citibank or so on. The processor then sends that transaction to the corresponding bank for approval.
• The bank then responds—confirming or denying that John Doe has the available credit to make the transaction—with a corresponding code that goes back through the processor.
• The processor then sends the code back to the merchant. The merchant’s datacenter sends it back to the store server, and the store server sends it back to the terminal. The terminal displays the response, and if, it’s a go, prints out the receipt, and the customer is on his way. Generally speaking, that all happens probably under about a tenth of a second.

What are the Payment Card Industry Data Security (PCI) standards?
The PCI standards were designed to make sure organizations that use payment card data are all playing by the same basic set of rules for everyone’s protection—they are standards to give us a degree of confidence. Organizations can use them to assess their process and they can use them to validate that they are maintaining that level of protection over time.

Do the PCI standards help with security?
Compliance doesn’t equal security and PCI standards were never supposed to be the “gold standard” for security. The standards are very good, but as I like to tell people, I’ve never seen a hacker that looks at someone’s PCI compliance before they attempt to hack into a system. Because PCI is a compliance standard it can only address the known issues. That means it lags behind the threats and risks of the real world because perpetrators will always find the holes.

Are there any specific limitations to the PCI standards with regards to POS exploits?
Right now there’s not a lot of regulation or compliance obligations regarding malware scraper protection. That’s something I am certain is being evaluated for a future proposition. One solution often discussed is ‘point-to-point encryption’ but this only addresses probably 95% of vulnerability typically involved with a POS transaction exploit. The RAM scraper is installed at the terminal from the first transaction and lives on there beyond it. The RAM scraper generally captures the data before the point-to-point encryption, or for that matter, any encryption can take place. If, however, the data is encrypted at the hardware device level, then it’s generally safe. Encryption in the POS application is often where things can break down.

What are some things organizations can do to improve their security around POS?

• Adopt two-factor or multifactor authentication. A lot of people are still using user names and passwords and that makes it easy for a perpetrator to get the key to walk through your door. This technology has existed for years if not decades. It costs money but it brings a higher degree of confidence.
• Build in network segmentation. This is similar to the two- factor authentication issue. Think of a building, where there are different departments and you might have to have a different key card to access different doors. You should be doing the same thing with your network.
• User education. One of the biggest things that we see organizations struggling with right now is that the users aren’t aware of the security threats. And almost every user just assumes that the security department is on top of everything. The users need to speak up if they see something weird on a system or an email or a web portal or if someone reaches out to them asking for information. A lot of times we find that when breaches occur someone might have had a lead but they had nowhere to take the information or no way to act on it. Education is not easy but lots of organizations are improving on this front—whether it’s with posters, signs, billboards, webinars or internal training sessions.
• Evaluation. If organizations were reevaluating their security on a regular basis they would see their gaps. People like to believe these breaches are advanced pie-in-the-sky attacks but when it comes down to it most of them are finding fundamental security gaps. Generally speaking, we often encourage folks to evaluate their overall risk profile, not based on compliance, governance, regulatory or legal elements, but looking at what the real risks are in the marketplace. The Verizon Data Breach Investigations Report can help you understand the real risks so you can focus your energy and resources and budget accordingly.

In summary…
Chris Novak and his Verizon computer forensics team are some of the leading experts in investigating and fixing PCI-related data breach events and his insight into POS issues is appreciated. Credit card data-related exposures will continue to surface as complex networks and data-sharing methods are increasingly trumped by the sophistication of bad guy exploit methods (e.g., RAM Scraper and Heartbleed). See more from Chris Novak:

• Protecting Data at the Point of Sale, an extended version of this interview published exclusively in the eRisk Hub
• Junto interview Heartbleed: Why Some Experts Are Ringing the Alarm