I feel like I’m stuck in Bill Murray’s Groundhog Day. Yet again, it came to my attention that a major American retailer has been hit with POS (point-of-sale) malware. This time, it’s hobby shop giant Michaels.
I hear that Target’s POS malware crisis, which made international headlines last December and January, may be made into a movie. If and when that happens, I won’t wait for Netflix. I’ll be at my local multiplex buying tickets.
That nicely segues into yet another reason you want to avoid these types of attacks if you’re a major retailer. When information security attacks affect popular brands, it does generate a lot of lingering negative PR. And it can’t be kept secret. The media will find out. It’s difficult to calculate how much money specific retailers have lost from hits to consumer confidence, but it’s got to be pretty significant.
Customers just don’t want their credit card and banking information to be stolen as a result of shopping at a specific store. Who can blame them?
As an IT security researcher, I’ve been studying this recent phenomena very carefully. I’ll explain what I know about the new Michaels attack, then I’ll explain three simple ways that retailers and restaurants can avoid becoming the next, ummmm… target.
What Happened to Michaels Stores
This past January, Michaels became aware of a large number of customers reporting that credit cards they’ve used at the retailer were incurring fraudulent charges. Michaels CEO Chuck Rubin announced that they were conducting an investigation.
On April 17th, Rubin issued a press release that shook the media. Approximately 2.6 million payment cards that have been used between May 8th, 2013 and January 27th, 2014 may have had their data leak from their POS system. Michaels subsidary Aaron Brothers was also affected, about 400,000 payment cards between June 26th, 2013 and February 27th, 2014.
Customers who are wondering if they’ve been hit should contact their banking and credit card institutions as soon as possible. A large number of locations across the United States were attacked.
It has yet to be confirmed, but most likely RAM scrapping malware is the culprit.
As I mentioned when I wrote about the Target attack in January, RAM scrapping malware is becoming a favorite method for criminals to acquire credit card and banking data from retailer POS systems. That’s the type of malware that affected Target and Neiman Marcus.
RAM scrapping malware is becoming popular with blackhats because it bypasses the encryption that POS systems are protected by. Criminals can buy RAM scrapping malware from underground markets that are online. It infects the data storage within POS systems, and then reads and transmits credit card and banking data directly from a POS terminal’s RAM, where it cannot be encrypted.
The malware that the digital forensics firms that Michaels hired found was completely new to them. But new RAM scrapping malware is being developed constantly. Also, RAM scrapping malware that’s already known to exist can be run through a crypter to become FUD- fully undetectable, a term used by blackhats within underground malware markets. That means when a new crypter is released, Symantec, Kaspersky and other antivirus vendors don’t have a signature for them yet. The process of the development of new crypters and antivirus vendors discovering and creating signatures for them is a constant cat-and-mouse game.
So, if you’re a retailer or restaurant, how can you prevent becoming the next victim? Here are three simple ways.
Isolate Your POS System from the Internet
In my research, I’ve discovered that the POS systems used by most medium-sized and large retailers are connected to the internet. Even when that connection to the internet goes through properly configured firewalls and antivirus shields, it’s always a bad idea that often leads to horrible consequences later on.
Retailers usually justify the internet connection because they believe it’s necessary for patch management and so that their internal networks can be remotely administrated.
Patch management is vital, of course. Operating systems and applications run within them must have the latest patches for optimal functionality and security. Even though patches are usually acquired through the internet, the internal networks that POS systems operate in needn’t be connected to the internet in any way.
My husband and a number of my friends also work in IT security. I’ve been discussing my POS malware research with them lately. “Even back in the late 1980s, we knew how to install patches from the internet without any need for the internal network to be connected!”
Have an internet connected terminal that has no connection to the internal network run specialized patch management software, specially configured for the operating systems and applications that are used in your POS system. Once a week, download all new patches, and transfer them to removable media, such as a USB flash drive or external HDD. Scan the external media with the week’s latest patches with recently updated antivirus software. If and when no malware is found on it, physically deliver the media to a server in the internal network that runs the same patch management program. From that server, update client and server machines in the internal network with the latest patches.
If the internal network requires some sort of remote adminstration, make sure you choose a security-minded VPN vendor for a solution. Only a minimal number of employees should be allowed to use VPN to remotely adminstrate the internal network, and they must use the VPN every single time. Otherwise, there should be no internet connection whatsoever. Only those specific employees should have credentials for the VPN, and the MAC addresses belonging to the NICs in the computers they use should have exclusive access.
Switch Your POS System from Windows to Linux
Windows, both client-side and server-side, is the platform most vulnerable to malware, by far. Mac OS X, other BSD/Unix distros, Linux distros and other platforms aren’t immune to malware, but there’s a lot less malware on the internet that targets those operating systems.
All of the POS RAM scrapping malware I’ve researched thus far targets Windows only. That’s likely because most POS terminals use Windows.
Linux-based operating systems also have a security feature that Windows lacks. In Windows and Windows Server, accounts have adminstrative privileges by default. An adminstrator has to make sure that new user accounts that are created have limited privileges.
But let’s assume that in Active Directory on the Windows Server end, the adminstrator is very careful to make sure only their account has full privileges and that all user accounts they create have very carefully selected privileges only to the system resources they must have access to. When the adminstrator is logged into their admin account, their machine has full admin access until they log out of their account.
Let’s suppose that while the admin account is open, their machine gets infected with some potentially destructive malware. Using a currently patched antivirus shield mitigates a lot of the risk, but it still happens frequently, especially with zero-day attacks.
The more system privileges an account has, the more destructive malware can be. In recent years, Microsoft introduced User Account Control. When an executable file tries to launch, what’s supposed to happen is that the screen goes gray, except for a pop-up verifying whether or not the user actually wants to execute the file.
But malware developers have been able to overcome UAC for a number of years now. UAC may stop some malware from executing, but certainly not all of it.
In all Linux-based OSes, even if the user is logged into an account with full admin privileges, “root” must be granted in order to make any system changes. I have to launch a BASH terminal, type “sudo” before my command, and when I hit enter, I must type in my password. If I want to make a system change five minutes later, I must grant “root” all over again.
For a user’s point of view, it may seem very much like Microsoft’s UAC. But on a deep technical level, it’s a completely different system altogether. The “root” system in Linux and Unix distros has been found to be many times more malware resistant than UAC.
If Target’s and Neiman Marcus’ POS systems were running Linux-based OSes instead of Windows, the major attacks they’ve had recently would have never happened, as they were infected with Windows malware. And if the internal networks they were using weren’t connected to the internet, the POS malware that infected their systems wouldn’t have entered in the first place.
I’m focusing in Linux distros rather than Mac OS X or other BSD/Unix distros because the Linux world has the greatest number of POS alternatives to Windows.
There are a few very well supported POS software suites for Linux that I’ll introduce, which are excellent for medium-sized retailers, large retailers, and restaurants.
LemonPOS is an opensource all-in-one Linux-based POS solution which can be used by retailers of all sizes. Available in both English and Spanish, there are versions for Ubuntu, OpenSUSE, Arch and Mandriva. Their extensive support community really impresses me. They even have a sophisticated ticketing system, so you can receive the enterprise-level support you’d expect from a major vendor.
The client-end of LemonPOS is called “lemon,” and the server-end is called “squeeze.” Their UIs can even be customized with style sheets.
The software suite is compatible with Star Micronics printers and Datalogic barcode scanners. For more information, check out http://lemonpos.org
OpenBravo Commerce Platform is another wonderful option to consider.
OBCP has Enterprise, Standard and On Demand versions, each with different levels of features and support. Openbravo Appliance is designed for virtual machines, and there are also packages that can be installed directly in Ubuntu.
Many major retailers are already using OpenBravo, and you can try a free demo to see if OBCP is right for your business.
ViewTouch offers an excellent Linux-based POS solution especially for foodservice. According to the developer, they were the very first touchscreen restaurant POS system.
They offer all of their own hardware as well, so their products can be implemented with maximum ease.
Visit http://viewtouch.com to learn more.
Be Security-Minded 365 Days a Year
Information security is a process which must be minded every day of the year. It’s not a system that’s set up once and only checked on from time to time.
Your retail or foodservice business must implement an extensive security strategy that should evolve with time, regardless of the size of your operation.
One of the biggest problems us IT security practioners have with major businesses is when people at the executive level, including CTOs, decide not to listen to the technical advice offered by security experts. Very often, IT security-minded staff will ask for a budget to better secure their company operations, and executives will dismiss such requests as being too expensive.
It’s always a lot less expensive to implement proper security from the get-go than to be hit by a major attack or breach and then have to clean up the mess afterwards. Ask Target, Neiman Marcus and Michaels if they’re willing to talk.
If your IT staff is small, your network and systems adminstrators must be properly trained in IT security, and they must be constantly re-educated, as everything in computer technology evolves very quickly. And every aspect of computer technology is related to security in one way or another.
If you have a dozen or more technical staff, at least one employee should be dedicated to security operations.
Security practioners should have at least CompTIA Security+ certification, and they should rewrite exams whenever a new version is released.
People with five or more years of IT security experience may also write the CISSP.
It would be prudent to invest in your network admins, sysadmins and dedicated security staff by paying for their training and exams.
Once you’ve made sure you’ve got a proper internal IT security strategy, don’t forget penetration testing.
Only third parties should pen test your networks, because your own staff already know how your computing systems work. A pen tester should have the perspective of an external blackhat.
Hire third party penetration testing once a year, or when major changes are made to your system, whichever is more frequent.
Based on the findings of your pen testers, you can better harden your networks and devices.
Keep all of this in mind, and you’ll be ahead of your competitors when it comes to being secure against POS malware, which has already been considerably destructive to a number of large corporations.
Retailer Michaels Stores confirms payment data breach http://mobile.reuters.com/article/idUSBREA3G27N20140417?irpc=932
POS malware risks millions of payment cards for Michaels, Arron Brothers shoppers http://www.scmagazine.com/pos-malware-risks-millions-of-payment-cards-for-michaels-aaron-brothers-shoppers/article/343180/
Michaels Stores investigates data breach http://www.darkreading.com/attacks-and-breaches/michaels-stores-investigates-data-breach/d/d-id/1113587
Why Linux is more secure than Windows http://www.pcworld.com/article/202452/why_linux_is_more_secure_than_windows.html
Demystifying Point of Sale malware and attacks http://www.symantec.com/connect/blogs/demystifying-point-sale-malware-and-attacks
Michaels Breach bigger than reported http://www.bankinfosecurity.com/michaels-breach-bigger-than-reported-a-3628/op-1
How to design a defense against point-of-sale malware attacks https://www.trustwave.com/Resources/Trustwave-Blog/How-to-Design-a-Defense-Against-Point-of-Sale-Malware-Attacks/