Two recent point-of-sale breaches, at a payment kiosk provider and a movie theatre chain, should serve as dramatic reminders of the importance of leveraging end-to-end encryption to protect sensitive data.
The self-service payment kiosk provider Avanti Markets recently acknowledged that 1,900 of its kiosks were hit by a "sophisticated and malicious malware attack" that exposed cardholders' names, credit/debit card numbers and expiration dates. The incident was discovered on July 4, 2017, and appears to date back just two days, to July 2.
While an initial alert had indicated that some customers' fingerprint data may have been exposed, the company later stated, "We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on biometric data and as such this biometric data would not be subject to this incident as it is encrypted."
Notably, Avanti began rolling out end-to-end encryption to all kiosks in May 2017. "At the time of the incident, the solution had been installed in more than 50 percent of kiosks," the company said. "The payment card information on these kiosks was not affected."
STEALTHbits Technologies CTO Jonathan Sander told eSecurity Planet by email that point of sale, for all the headlines it's been generating lately, still isn't a big area of focus for security pros. "The PoS systems are often brought in from the outside, used by contract or part time employees, and even connected to networks that aren't fully IT managed," he said. "They live in a gray zone that makes them both hard to manage and easy to target."
A Two-Year Breach
B&B was alerted to the breach by a local banking partner, the company said in a statement provided to Krebs. "Upon being notified we immediately engaged Trustwave, a third party security firm recommended to B&B by partners at major credit card brands, to work with our internal IT resources to contain the breach and mitigate any further potential penetration," B&B said.
"While some malware was identified on B&B systems that dated back to 2015, the investigation completed by Trustwave did not conclude that customer data was at risk on all B&B systems for the entirety of the breach," the company added.
Netsurion global CISO John Christly told eSecurity Planet by email that the next step for attacks like these is likely to be point-of-sale ransomware. "If retailers don't protect themselves properly, this isn't much of a stretch," he said. "Rather than gain access to a chain's PoS to exfiltrate credit cards over months (or even years), cybercriminals could deploy ransomware that shuts down the PoS systems, effectively bringing the business and all revenue to a screeching halt."
In response, Christly said, retailers should take the following key steps to protect themselves:
- Deploy a managed firewall (which can detect malware entering and sensitive data exiting the network)
- File integrity monitoring (to tell you when files have changed that weren't supposed to change)
- Unified threat management appliances (used to integrate security features such as firewall, gateway anti-virus, and intrusion detection)
- Security information and event management, ideally with dormant malware hunting capabilities (used to centrally collect, store, and analyze log data and other data from various systems to provide a single point of view from which to be alerted to potential issues)
- Managed detection and response (brings advanced threat detection and response specifically to the PoS systems to reduce malware detection gap and incident response times)
- Next-generation endpoint security solutions (used to stop attacks on the endpoint computers and servers before they can wreak havoc on other systems)
Merchants also need to remember that being PCI compliant isn't the same thing as being secure, Christly said. "It's one thing to do basically the bare minimum to meet compliance mandates, but it's completely another thing to do IT security properly," he said. "Properly locked down PoS systems take a willingness to bring in experts that have 'been there, done that' and know how to keep payment terminals locked down and immediately detect any unathorized access or processes."
A recent Deloitte survey of more than 400 CIOs, CISOs, CTOs and other senior executives found that while 76 percent of respondents said they're highly confident in their ability to respond to a cyber incident, 82 percent acknowledged that their organization hasn't documented and tested cyber response plans involving business stakeholders within the past year.
And when thinking about potential cyber incidents, respondents at consumer product companies were more concerned about potential disruptions (48 percent) and loss of intellectual property (42 percent) than impact on brand reputation (16 percent).
"News of breaches cannot only threaten sales of a particular product or brand, but can tarnish broader perceptions consumers have towards connected products in general -- jeapordizing billions in future sales growth," Deloitte LLP vice chairman Barb Renner said in a statement.