Detecting and Preventing Compromises in Retail Payment Systems

January 14, 2014, Mike Weber, Vice President, Coalfire Labs

Information Week’s Matthew Swartz published an article on the recently- confirmed payment card breaches at Target, Nieman Marcus and three other unnamed  retailers. This article and many others reveal that these attacks involve sophisticated malware and some even suggest it is the work of the same gang.  To be clear, Coalfire and the Coalfire Labs group that I lead are not involved in these investigations. But we do perform security audits and digital forensics investigations for many retailers. And based on that experience, we can confidently say this: all retailers are targets, and many retailers have already been compromised..

How does this happen?

Often, a concerted attacker may be able to find a vulnerability in a system that has previously gone undiscovered – the proverbial “zero-day” exploit(1).  Directed attacks using these zero-day exploits frequently go undetected by many security systems, both local and network.   Local systems that become compromised may result in the local security mechanisms being disabled by the malware, reducing the probability of detection.  There are recent reports of malware being developed to do precisely this.  Given this, retailers should assume that they are will be breached at some point, and they should make testing a routine activity.

Top 5 Indicators of Comprimise (IOCs)

The only way to detect if a system has been compromised with any reasonable level of assurance is to analyze the volatile memory and storage for anomalies, using utilities completely independent of the system in question.  A memory dump and a disk image must be taken and analyzed for Indicators of Compromise (IOCs) in memory or on disk or anomalous configurations or network connections.  The top 5 IOCs Coalfire encounters are:

  • Unusual Outbound Network Traffic
  • Unexpected User Account Activity
  • I/O activity spikes
  • Quota and Permission Anomalies
  • Repeated Error Messages

A basic check can be performed by a Forensic Analyst with a quick turnaround and easy to understand results.  Much of this analysis is tool driven, but pulling together potential IOCs to conclude with assurance that a system has been compromised or not requires an experienced Analyst.  IOC checkups are performed on memory and fixed disks on machines within a client’s Cardholder Data Environment. Proactively analyzing machines that are used actively in the processing of credit card transactions can help identify a compromise and minimize data leakage.

Work with a QIR

Many of our forensic investigations are performed for small to medium businesses.  These businesses are nowhere near the size of the giant retailers recently in the news.  Typically, their point of sale systems have been architected, deployed and managed by a POS reseller or integrator.  While these businesses, too, can benefit from an IOC Checkup, we find that most breaches at this level are caused by integrators not following the payment application’s Implementation Guide.  The PA-DSS Implementation Guide’s sole purpose is to communicate configuration and specifics of implementing a payment application in a manner that facilitates merchant’s PCI DSS compliance. Coalfire is a proponent of PCI’s Qualified Integrator and Reseller (QIR) program and recommends companies leverage a QIR for new deployments or upgrades.  Outside of finding a QIR, having a PA-QSA firm perform a third party assessment of the system after it’s been implemented can provide that additional level of assurance as well.

Additional Preventive Measures

In addition there are several things a merchant can do to enhance their security posture in the store front:

  1. As mentioned above proper implementation and periodic reviews to ensure implementation has not been modified.
  2. Limit access to your POS systems; lock the components that have communication channels (USB, RS232, etc.) in a secure area of the POS station.
  3. Periodical physical inspection of all POS components including the PIN Pad/MSR, look for:
    • Forced Entry, use security seals on all components that can be opened or accessed including keyed areas that are not normally accessed.
    • Inspect any devices that may be in a communication channel (thumb drives, custom hardware, PLU scanners, etc.). Look for devices sitting in the middle of the connection assuming your hardware is connected directly to the POS unit.
    • Inspect the PIN Pad/MSR and look for presence of skimming devices or other modifications
  4. Provide security awareness training for all employees; ensure the training incorporates some of the typical attack vectors of a POS as mentioned above.

1 - The term “zero-day” comes from the attack being carried out on “day zero” of awareness of the vulnerability and that the system developers have had zero days to address and patch the vulnerability.

Mike Weber


Mike Weber — Vice President, Coalfire Labs

Recent Posts

Post Topics