Retailers around the world are making it easy for hackers to access their IT systems and steal lucrative financial data, says Verizon.
“Very few data breaches in the retail sector can be attributed to advanced attacks,” said Paul Pratley, investigations manager at Verizon.
“Retailers will often claim they have been the victims of sophisticated cyber attacks, but that is often aimed at covering basic security failings.”
Verizon's 2014 Data Breach Investigations Report (DBIR) revealed that attackers continue to use only a few simple techniques to steal data from retail organisations.
The most basic problem is that point of sale (POS) devices are often open to the internet and protected only by weak passwords, default passwords and even no passwords, the report said.
Attackers scan the internet for open remote access ports and gain access simply by trying a series of common passwords until the correct one is found.
These so-called brute force attacks accounted for 53% of POS intrusions covered by the latest DIBR.
Attackers then install malware to collect and exfiltrate payment card data.
Read more about data breaches
- Most cyber attacks use only three methods, Verizon breach report shows
- Target CEO quits after data breach
- Sears confirms data breach investigation amid retailer data breaches
- Orange data breach underlines need for encryption, say experts
- Target data breach: Why UK business needs to pay attention
- Bitly urges users to secure accounts after security breach
- Target’s CIO resigns after massive data breach
RAM scrapers were used in 85% of POS intrusions covered by the latest DIBR, compared with key loggers used in just 2% of intrusions.
“RAM scrapers like Black POS are not that complex and standard products that can be bought off the shelf in underground forums,” said Pratley.
“This type of malware is designed to scan all processes running on the retail systems, pull relevant data from memory, and then export that outside the organisations using an FTP server."
Technology suppliers at fault
The second most common scenario is that attackers use credentials stolen from technology suppliers, accounting for 38% of POS intrusions covered by the latest DIBR.
The problem, said Pratley, is that retailers are not in control of access to their networks because many allow technology suppliers remote access to their networks and even their POS systems.
In one case covered by the DIBR, the credentials stolen belonged to a POS supplier and were compromised through Zeus malware on the supplier’s systems.
The problem was exacerbated by the same password being used for all organisations managed by the supplier, making them all targets.
Also, the flat hub-and-spoke architecture used by many retailers make it easier for attackers to move across a network once they are inside.
Based on the data from the DIBR, Pratley said retailers can implement several relatively inexpensive security controls to block most of the common threats against the sector.
“The DIBR shows how retailers can direct limited resources to make a real difference,” he said.
The DIBR recommends that all retailers tackle the problem of third-party remote-access software such as pcAnywhere and LogMeIn.
The report notes that while the security of this software is not an issue, they are often implemented in an insecure way.
The DIBR recommends retailers limit remote access into POS systems and ensure all passwords used for remote access are not the default; are not used for other clients; and are not weak.
While stronger passwords will eliminate much of the risk, the DIBR recommends larger organisations consider at least two-factor authentication.
Retailers should also segment the POS environment from the rest of the corporate network and restrict administrative access as much as possible, said Pratley.
Multi-store companies should review interconnectivity between stores and central locations, and treat them as semi-trusted connections.
The DIBR recommends retailers monitor network traffic to and from the POS network, and ensure they can identify anomalous traffic for investigation.
“It is also important to keep up with the changing threat environment and to share information about security incidents with others in the same sector,” said Pratley.
Integration of threat intelligence and intelligence sharing, he said, is becoming an increasingly important component of doing security well.
“Attackers are extremely collaborative in their efforts, so defenders need to counter that advantage by doing the same,” he said.