FS-ISAC Warns of Remote Access PoS Attacks

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

An alert [PDF] from the Financial Services Information Sharing and Analysis Center (FS-ISAC) warns that credit card processing systems that are accessible via remote access tools can be exploited by cybercriminals.

"Criminals have successfully exploited databases and payment processing systems with remote access tools," the alert states. "There is a high probability that employees who have remote access to the company's network will be targeted especially if the attacker can steal virtual private network (VPN) logon credentials and leverage them to log in during normal business hours."

The advisory, prepared in collaboration with the Retail Cyber Intelligence Sharing Center (R-CISC) and the U.S. Secret Service, with support from Visa Inc., recommends implementing multi-factor authentication on remote access devices to reduce the risk that attackers will gain access to the network.

"Too often, this added layer of security is not configured in remote access platforms, making it a common target in past data breaches," the advisory notes.

The advisory also suggests that login credentials be changed periodically, that group accounts and passwords never be utilized, that user accounts be set to automatically disable if unused for a given period of time, and that out of date operating systems be blocked, among other recommendations.

Crucially, the alert also reommends conducting information security and risks assessments of all third party vendors that have access to your network.

It also offers additional guidance on securing point-of-sale (PoS) systems, and include a list of common types of PoS malware that have been used in the past.

Recent victims of PoS breaches include Service Systems Associates, Firekeepers Casino, Trump Hotels, Hersheypark and Sally Beauty.

J.D. Oder II, CTO and senior vice president of R&D at Shift4 Corporation, told eSecurity Planet that anti-virus software, intrusion detection systems and firewalls serve as a good first step in avoiding such attacks. "We also recommend practicing security beyond compliance by not leaving anything behind for hackers to steal," he said.

"When EMV, point-to-point encryption (P2PE), and tokenization are properly implemented in a merchant environment, sensitive payment card data never enters your systems and a 'cardholder data environment' ceases to exist outside of a secured payment device," Oder added. "That way, all sensitive payment card data is hosted offsite from the merchant location and placed under the watch of those who specialize in securing that data."