After two major retailers, Target Corp. and Neiman Marcus, revealed that massive data breaches had compromised tens of millions of customers' data records, everyone from consumers to politicians has asked how such spectacular security blunders could occur. But if experts' anecdotes and insights on the numerous weaknesses in retail point-of-sale (POS) systems are any indication, it may be surprising major breaches don't happen more often.
Special coverage: Inside the Target breach
Does retail security take a back seat during the 'holiday IT lockdown'?
Target breach update: Information on up to 70 million customers stolen
Minneapolis-based Target was the first major retailer to announce a breach during the 2013 holiday shopping period, initially confirming the compromise of 40 million credit and debit cards over the course of three weeks in November and December. Target's forensic investigation soon uncovered that personal data, including email addresses and telephone numbers, of up to 70 million customers had been stolen as part of the same criminal operation.
Separately, Neiman Marcus confirmed that it uncovered a breach on Jan. 1 that dates back to the same time frame as the Target breach, though the Dallas-based retailer has yet to confirm whether the two incidents are related or even how many payment cards were affected. Customers are being notified of the breach.
And more retail breaches are likely to be revealed soon. A recent Reuters report indicated that other retailers also suffered data breaches during the holiday season. Undisclosed sources told the news agency that "at least three other well-known U.S. retailers" were breached, and the attack techniques utilized were similar to those in the Target breach.
Why are attackers currently having so much success penetrating retail environments? While some may look to cast blame on weak legacy point-of-sale security, others say retailers' security woes extend far deeper into their payment-processing infrastructures.
Complexity reduces point-of-sale security
Target CEO Gregg Steinhafel caused a stir in the security community following an interview with CNBC this week when he disclosed one particular aspect of the attack against his company.
"We don't know the full extent of what transpired, but what we do know is that there was malware installed on our point-of-sale registers," Steinhafel said. "That much we've established."
Though Steinhafel did not elaborate, the report from Reuters points the finger at what is known as a RAM scraper, or memory-parsing malware, which essentially scans the memory of a computer looking for signs of track data from payment cards that may be unencrypted. Payment card giant Visa Inc. issued two warnings in 2013 related to the surge in use of such attacks to target retailers.
Blogger Brian Krebs reported Tuesday that the malware used to victimize Target was likely a variant of BlackPOS, a tiny memory-scraping program designed to sneak past perimeter defenses and install on point-of-sale systems undetected.
Patrick Townsend, CEO of Olympia, Wash.-based Townsend Security and a participant in the Payment Card Industry Security Standards Council (PCI SSC), said that such point-of-sale malware is difficult to stop. However, Townsend believes the security issues within retail environments extend further than point-of-sale terminal compromises. First and foremost, a retail environment, especially for a large company like Target, he said, can be incredibly complex.
Complexity is one of the things that make it so hard to secure these environments.
CEO, Townsend Security
In a typical brick-and-mortar store, according to Townsend, point-of-sale terminals are usually integrated with a cash register, which includes a complete operating system. A store will also have controllers that link terminals together.
Retailers then have payment operations at company headquarters, where payment transactions are consolidated and information is sent to a third-party payment processor. Any one of these technologies, as well as others like customer loyalty or gift card management systems, represent a potential attack surface that retailers often struggle to secure properly.
"Every one of those points could potentially be attacked and have been points of attack," Townsend commented. "So that complexity is one of the things that make it so hard to secure these environments."
According to Curt Wilson and Dave Loftus, both part of the ASERT team at distributed denial-of-service mitigation vendor Arbor Networks Inc. in Burlington, Mass., this sizable attack surface provides criminals a wide range of possible vulnerabilities with which to exploit retailers, often enabling an attacker to compromise a Windows PC or another weak point in a network and use that as the foothold to move laterally to the desired destination. Wilson and Loftus penned a recent report uncovering an active point-of-sale malware campaign that seemingly targeted only smaller retailers.
The bulk of the activity Arbor tracked as research for its report was attributed to the venerable Dexter family of RAM-scraping malware. Wilson said it's unclear whether Dexter was used in the Target attack, though a connection is possible, especially because the Dexter source code was previously leaked.
Arbor's research into Dexter enabled Wilson to learn about the different techniques used by attackers to install such malware onto POS systems. He noted that attackers have leveraged a number of Windows-based vulnerabilities, open remote desktops connections and vulnerabilities in open wireless networks to gain access to retailers' systems, including POS terminals themselves as well as Windows PCs used at corporate headquarters.
Spreading retail malware via central console
Once inside a network, there are a number of ways that attackers can install malware and locate valuable information. In the case of the Target breach, Wilson suspected that attackers might have compromised a central management console responsible for pushing software updates.
Adam Meyers, vice president of intelligence for Irvine, Calif.-based CrowdStrike Inc., agreed, highlighting the difficulty that attackers would otherwise have in spreading malware to thousands of point-of-sale endpoints.
"To deploy that much software to that many point-of-sale devices, they would have had to have gotten into some sort of central management console and pushed out the malware," Meyers said.
Meyers noted that sophisticated attackers, such as those sponsored by nation-states, are more likely to infiltrate a network and stay inside over the course of months or even years, whereas typical cybercriminals would simply utilize smash-and-grab tactics to take whatever they can find. The fact that such attackers possibly used the same techniques as nation-state hackers to hit Target and other retailers "speaks to the evolution of some of these criminal actors," he said, making the detection of their activities nearly impossible without implementing stronger security practices.
How to shore up retail security
As for how retailers can improve point-of-sale security, experts say reducing the complexity of payment systems is key.
Through his research on Dexter, Wilson discovered what appeared to be a mom-and-pop retailer running multiple applications on a single computer system alongside its POS software, including those for video surveillance and employee time-clock access. He said such a situation should never occur and stressed the need for isolation and network segmentation for systems in the card data environment.
"You should not have that [point-of-sale] machine used for other applications," Wilson said. "You should not have people surfing the Web, checking email, etc., on these point-of-sale machines, or [have] systems connected to these point-of-sale machines."
Meyers also recommended that POS systems should be isolated and placed on segmented networks, not only because of the obvious Payment Card Industry Data Security Standard (PCI DSS) compliance demands, but also because of the monitoring benefits such a setup provides.
"By creating a separate segment for those devices that you have control over, you can build a bottleneck point where you're then able to monitor anything crossing over that zone," Meyers said. "So it really gives you the ability to see traffic emanating from and [returning] to your point-of-sale environment."
With the November release of PCI DSS 3.0, the PCI SSC emphasized the importance of continuous monitoring, Townsend noted, which he believes could play a key role in detecting and mitigating retail breaches. Industry studies point to evidence that a breach typically occurs up to 12 months before an actual loss of data, he said, so it's up to retailers to monitor for criminal activity before a huge data loss occurs.
"When forensics is done, in a vast majority of cases, the breach was detectable early on based on system log information," Townsend said. "So having an appropriate system logging and monitoring infrastructure in place is crucial.
"But those systems are only as good as your implementation of the collection from all your endpoints," he added. "Companies need to collect logs and monitor them, but they also need to collect them from every PC and user and server and application and Web server and payment system in the network. Those active monitoring systems are only as good as the data they have to work with."
The information stemming from the Target and Neiman Marcus breaches, as well as other smaller retail breaches in previous years, could also give retail defense teams an upper hand over attackers, according to Meyers. He wants retailers to take the intelligence gleaned from security events at other companies and apply what is learned to their own IT infrastructure.
Between the success attackers are having targeting retailers and the release of the Dexter source code, experts agree that retailers must improve their point-of-sale security practices drastically if they want to avoid becoming the next Target.
"The underground economy is interested," Wilson said, "and this flurry of activity is probably going to stimulate more attacks."